[Django] #33199: Consider making Signer parameters keyword-only

Fri, 15 Oct 2021 01:56:58 -0700 

#33199: Consider making Signer parameters keyword-only
------------------------------------------+------------------------
               Reporter:  Daniel Samuels  |          Owner:  nobody
                   Type:  New feature     |         Status:  new
              Component:  Core (Other)    |        Version:  3.2
               Severity:  Normal          |       Keywords:
           Triage Stage:  Unreviewed      |      Has patch:  0
    Needs documentation:  0               |    Needs tests:  0
Patch needs improvement:  0               |  Easy pickings:  0
                  UI/UX:  0               |
------------------------------------------+------------------------
 We discovered a vulnerability in one of our applications recently which
 was caused by an inaccurate instantiation of `django.core.signing.Signer`.
 The developer intended to use the user's email address as the salt for the
 Signing instance but instead caused it to be used as the key. Here's an
 example code block that demonstrates the problem:

 {{{#!python
 signer = Signer(self.context['request'].user.email)
 signed_data = signer.sign_object(dict(
     license_number='...',
     product_id='...',
     device_count='...'
 ))
 }}}

 In our case, this signed data was then being used to verify a later
 request and generate an active license. This meant that an attacker could
 feasibly generate their own licenses if they realised that their email
 address was the key. The fix for this was to add `salt=` in front of the
 email variable. It occurred to us that this is a relatively easy mistake
 to make and could be avoided if the signature of `Signer.__init__` was
 changed thusly:

 {{{#!diff
 - def __init__(self, key=None, sep=':', salt=None, algorithm=None):
 + def __init__(self, *, key=None, sep=':', salt=None, algorithm=None):
 }}}

 That is, adding a `*` after `self` to force the developer to name the
 parameters.

-- 
Ticket URL: <https://code.djangoproject.com/ticket/33199>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/056.dc880fd2ac0b58f620588d35b90fd272%40djangoproject.com.

Reply via email to