#33199: Consider making Signer parameters keyword-only ------------------------------------------+------------------------ Reporter: Daniel Samuels | Owner: nobody Type: New feature | Status: new Component: Core (Other) | Version: 3.2 Severity: Normal | Keywords: Triage Stage: Unreviewed | Has patch: 0 Needs documentation: 0 | Needs tests: 0 Patch needs improvement: 0 | Easy pickings: 0 UI/UX: 0 | ------------------------------------------+------------------------ We discovered a vulnerability in one of our applications recently which was caused by an inaccurate instantiation of `django.core.signing.Signer`. The developer intended to use the user's email address as the salt for the Signing instance but instead caused it to be used as the key. Here's an example code block that demonstrates the problem:
{{{#!python signer = Signer(self.context['request'].user.email) signed_data = signer.sign_object(dict( license_number='...', product_id='...', device_count='...' )) }}} In our case, this signed data was then being used to verify a later request and generate an active license. This meant that an attacker could feasibly generate their own licenses if they realised that their email address was the key. The fix for this was to add `salt=` in front of the email variable. It occurred to us that this is a relatively easy mistake to make and could be avoided if the signature of `Signer.__init__` was changed thusly: {{{#!diff - def __init__(self, key=None, sep=':', salt=None, algorithm=None): + def __init__(self, *, key=None, sep=':', salt=None, algorithm=None): }}} That is, adding a `*` after `self` to force the developer to name the parameters. -- Ticket URL: <https://code.djangoproject.com/ticket/33199> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/056.dc880fd2ac0b58f620588d35b90fd272%40djangoproject.com.