On Tue, Dec 22, 2009 at 12:22 AM, Russell Keith-Magee <freakboy3...@gmail.com> wrote: > On Tue, Dec 22, 2009 at 8:00 AM, Simon Willison <si...@simonwillison.net> > wrote: >> I've made some changes based on the feedback in this thread: >> >> http://github.com/simonw/django/commit/802952bbb8b763e65ee545c6a8f39524b20e147c >> "Use sha('signer' + secret_key + salt) to derive the key for use in >> the >> signature() method, addressing feedback from the django-developers >> list" >> >> The default signature() method now looks like this: >> >> def signature(self, value, salt=''): >> # Derive a new key from the SECRET_KEY, using the optional >> salt >> key = sha_constructor('signer' + self.key + salt).hexdigest() >> return base64_hmac(value, key) >> >> The secret key (self.key here) is now never used directly. Instead, a >> sha1 hash of the salt 'signer' plus the secret key plus any additional >> salt is used as the key for the signature. sha1 is used here as >> protection against weird key length extension attacks (like the one >> that affected the Flickr API recently). >> >> http://github.com/simonw/django/commit/4ed44c2bce5000d6c78c3a26b84d08f636b3589c >> "RAISE_ERROR now capitalised to emphasize that it is a constant" >> >> http://github.com/simonw/django/commit/20f3a693b99ec6af0f91eecb31046e8a07dc7151 >> "Signed cookies now automatically include the name of the cookie as >> part of the salt" >> >> http://github.com/simonw/django/commit/68c52f0b995447d93bce1db486b23a27b918da73 >> "Moved get_cookie_signer in to utils.signed" >> >> New patch is attached to the ticket. Is there anything else I need to >> address before checking it in? > > As far as the patch itself is concerned, looks good to me. My only > other request would be a serving of dogfood - if we're going to > include a signed cookie module, it would be nice to prove that it can > actually be used by actually using it. > > Russ %-) > > -- > > You received this message because you are subscribed to the Google Groups > "Django developers" group. > To post to this group, send email to django-develop...@googlegroups.com. > To unsubscribe from this group, send email to > django-developers+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/django-developers?hl=en. > > >
As an FYI Eric Florenzano has said that he asked a friend of his, Matthew Dempsky, to take a look at this (from a security perspective), he's the gent who found the security hole in djbdns. Alex -- "I disapprove of what you say, but I will defend to the death your right to say it." -- Voltaire "The people's good is the highest law." -- Cicero "Code can always be simpler than you think, but never as simple as you want" -- Me -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.