Re: [Django] #24994: Document/check that settings.SECRET_KEY should be a valid unicode string

Wed, 07 Dec 2016 08:16:52 -0800 

#24994: Document/check that settings.SECRET_KEY should be a valid unicode string
-------------------------------------+-------------------------------------
     Reporter:  Baptiste Mispelon    |                    Owner:  MaartenPI
         Type:                       |                   Status:  new
  Cleanup/optimization               |
    Component:  Core (System         |                  Version:  1.8
  checks)                            |
     Severity:  Normal               |               Resolution:
     Keywords:                       |             Triage Stage:  Accepted
    Has patch:  1                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  1
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by Andres Mejia):

 Cryptographic keys are suppose to be random bytes that don't necessarily
 represent a Unicode string. See also the RFC I linked in my comment.

 I think it's fair to assume devs using the SECRET_KEY know it must be used
 as bytes. Various crypto libraries will refuse to accept them otherwise.
 This is true of the hmac, cryptography, and pyOpenSSL libraries.

 As for my use case, a common practice is to use an external script or
 program to pipe secrets into processes that need them. I use something
 like this to not only setup my Django sites but to also rotate the secrets
 in them whenever necessary. The output from a subprocess.check_output()
 call is in bytes. As of now, since Django accepts the SECRET_KEY as bytes,
 I use random bytes for my SECRET_KEY and have it loaded in my Django sites
 via an external program.

--
Ticket URL: <https://code.djangoproject.com/ticket/24994#comment:14>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.81f241811209ecc4472c44843207ce7a%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to