summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAdrian Holovaty <adrian@holovaty.com>2005-07-20 00:37:45 +0000
committerAdrian Holovaty <adrian@holovaty.com>2005-07-20 00:37:45 +0000
commit897d24b220a9615f036ffed663926851a7ec5e64 (patch)
treee9dfc7356eee74f966785f830ab2ed9a4d361fe0
parent43538e78eb98966838168b9d9d84d5f6313e9277 (diff)
Fixed #95 -- Added SECRET_KEY setting instead of hard-coding keys that are shared for every Django installation. 'django-admin.py startproject' now creates a random SECRET_KEY. The auth and comments modules, and the admin middleware, all use SECRET_KEY now, instead of hard-coded values.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@230 bcc190cf-cafb-0310-a4f2-bffc1f526a37
-rwxr-xr-xdjango/bin/django-admin.py15
-rw-r--r--django/conf/global_settings.py5
-rw-r--r--django/conf/project_template/settings/main.py3
-rw-r--r--django/contrib/comments/models/comments.py6
-rw-r--r--django/middleware/admin.py8
-rw-r--r--django/models/auth.py16
6 files changed, 32 insertions, 21 deletions
diff --git a/django/bin/django-admin.py b/django/bin/django-admin.py
index 7aa049a53f..25bcdcf424 100755
--- a/django/bin/django-admin.py
+++ b/django/bin/django-admin.py
@@ -340,15 +340,24 @@ def _start_helper(app_or_project, name, directory, other_name=''):
def startproject(project_name, directory):
"Creates a Django project for the given project_name in the given directory."
+ from whrandom import choice
_start_helper('project', project_name, directory)
# Populate TEMPLATE_DIRS for the admin templates, based on where Django is
# installed.
- settings_file = os.path.join(directory, project_name, 'settings/admin.py')
- settings_contents = open(settings_file, 'r').read()
- fp = open(settings_file, 'w')
+ admin_settings_file = os.path.join(directory, project_name, 'settings/admin.py')
+ settings_contents = open(admin_settings_file, 'r').read()
+ fp = open(admin_settings_file, 'w')
settings_contents = re.sub(r'(?s)\b(TEMPLATE_DIRS\s*=\s*\()(.*?)\)', "\\1\n '%s',\\2)" % ADMIN_TEMPLATE_DIR, settings_contents)
fp.write(settings_contents)
fp.close()
+ # Create a random SECRET_KEY hash, and put it in the main settings.
+ main_settings_file = os.path.join(directory, project_name, 'settings/main.py')
+ settings_contents = open(main_settings_file, 'r').read()
+ fp = open(main_settings_file, 'w')
+ secret_key = ''.join([choice('abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*(-_=+)') for i in range(50)])
+ settings_contents = re.sub(r"(?<=SECRET_KEY = ')'", secret_key + "'", settings_contents)
+ fp.write(settings_contents)
+ fp.close()
startproject.help_doc = "Creates a Django project directory structure for the given project name in the current directory."
startproject.args = "[projectname]"
diff --git a/django/conf/global_settings.py b/django/conf/global_settings.py
index 1c5c589ed5..04923d6345 100644
--- a/django/conf/global_settings.py
+++ b/django/conf/global_settings.py
@@ -96,6 +96,11 @@ ADMIN_FOR = []
IGNORABLE_404_STARTS = ('/cgi-bin/', '/_vti_bin', '/_vti_inf')
IGNORABLE_404_ENDS = ('mail.pl', 'mailform.pl', 'mail.cgi', 'mailform.cgi', 'favicon.ico', '.php')
+# A secret key for this particular Django installation. Used in secret-key
+# hashing algorithms. Set this in your settings, or Django will complain
+# loudly.
+SECRET_KEY = ''
+
##############
# MIDDLEWARE #
##############
diff --git a/django/conf/project_template/settings/main.py b/django/conf/project_template/settings/main.py
index db57be686d..a34bac5359 100644
--- a/django/conf/project_template/settings/main.py
+++ b/django/conf/project_template/settings/main.py
@@ -26,6 +26,9 @@ MEDIA_ROOT = ''
# Example: "http://media.lawrence.com"
MEDIA_URL = ''
+# Make this unique, and don't share it with anybody.
+SECRET_KEY = ''
+
ROOT_URLCONF = '{{ project_name }}.settings.urls.main'
TEMPLATE_DIRS = (
diff --git a/django/contrib/comments/models/comments.py b/django/contrib/comments/models/comments.py
index 61988595db..18a6f2cf3f 100644
--- a/django/contrib/comments/models/comments.py
+++ b/django/contrib/comments/models/comments.py
@@ -31,9 +31,6 @@ class Comment(meta.Model):
meta.ForeignKey(core.Site),
)
module_constants = {
- # used as shared secret between comment form and comment-posting script
- 'COMMENT_SALT': 'ijw2f3_MRS_PIGGY_LOVES_KERMIT_avo#*5vv0(23j)(*',
-
# min. and max. allowed dimensions for photo resizing (in pixels)
'MIN_PHOTO_DIMENSION': 5,
'MAX_PHOTO_DIMENSION': 1000,
@@ -123,8 +120,9 @@ class Comment(meta.Model):
'pa,ra') and target (something like 'lcom.eventtimes:5157'). Used to
validate that submitted form options have not been tampered-with.
"""
+ from django.conf.settings import SECRET_KEY
import md5
- return md5.new(options + photo_options + rating_options + target + COMMENT_SALT).hexdigest()
+ return md5.new(options + photo_options + rating_options + target + SECRET_KEY).hexdigest()
def _module_get_rating_options(rating_string):
"""
diff --git a/django/middleware/admin.py b/django/middleware/admin.py
index 0a0a76201a..4ae741de82 100644
--- a/django/middleware/admin.py
+++ b/django/middleware/admin.py
@@ -5,9 +5,7 @@ from django.models.auth import sessions, users
from django.views.registration import passwords
import base64, md5
import cPickle as pickle
-
-# secret used in pickled data to guard against tampering
-TAMPER_SECRET = '09VJWE9_RIZZO_j0jwfe09j'
+from django.conf.settings import SECRET_KEY
ERROR_MESSAGE = "Please enter a correct username and password. Note that both fields are case-sensitive."
@@ -108,13 +106,13 @@ class AdminUserRequired:
def encode_post_data(post_data):
pickled = pickle.dumps(post_data)
- pickled_md5 = md5.new(pickled + TAMPER_SECRET).hexdigest()
+ pickled_md5 = md5.new(pickled + SECRET_KEY).hexdigest()
return base64.encodestring(pickled + pickled_md5)
def decode_post_data(encoded_data):
encoded_data = base64.decodestring(encoded_data)
pickled, tamper_check = encoded_data[:-32], encoded_data[-32:]
- if md5.new(pickled + TAMPER_SECRET).hexdigest() != tamper_check:
+ if md5.new(pickled + SECRET_KEY).hexdigest() != tamper_check:
from django.core.exceptions import SuspiciousOperation
raise SuspiciousOperation, "User may have tampered with session cookie."
return pickle.loads(pickled)
diff --git a/django/models/auth.py b/django/models/auth.py
index ecc03de614..6c4624013d 100644
--- a/django/models/auth.py
+++ b/django/models/auth.py
@@ -182,10 +182,6 @@ class Session(meta.Model):
meta.DateTimeField('start_time', 'start time', auto_now=True),
)
module_constants = {
- # Used for providing pseudo-entropy in creating random session strings.
- 'SESSION_SALT': 'ijw2f3_MUPPET_avo#*5)(*',
- # Secret used in cookie to guard against cookie tampering.
- 'TAMPER_SECRET': 'lj908_PIGGY_j0vajeawej-092j3f',
'TEST_COOKIE_NAME': 'testcookie',
'TEST_COOKIE_VALUE': 'worked',
}
@@ -195,26 +191,28 @@ class Session(meta.Model):
def get_cookie(self):
"Returns a tuple of the cookie name and value for this session."
+ from django.conf.settings import AUTH_SESSION_COOKIE, SECRET_KEY
import md5
- from django.conf.settings import AUTH_SESSION_COOKIE
- return AUTH_SESSION_COOKIE, self.session_md5 + md5.new(self.session_md5 + TAMPER_SECRET).hexdigest()
+ return AUTH_SESSION_COOKIE, self.session_md5 + md5.new(self.session_md5 + SECRET_KEY + 'auth').hexdigest()
def _module_create_session(user_id):
"Registers a session and returns the session_md5."
+ from django.conf.settings import SECRET_KEY
import md5, random, sys
# The random module is seeded when this Apache child is created.
- # Use person_id and SESSION_SALT as added salt.
- session_md5 = md5.new(str(random.randint(user_id, sys.maxint - 1)) + SESSION_SALT).hexdigest()
+ # Use person_id and SECRET_KEY as added salt.
+ session_md5 = md5.new(str(random.randint(user_id, sys.maxint - 1)) + SECRET_KEY).hexdigest()
s = Session(None, user_id, session_md5, None)
s.save()
return s
def _module_get_session_from_cookie(session_cookie_string):
+ from django.conf.settings import SECRET_KEY
import md5
if not session_cookie_string:
raise SessionDoesNotExist
session_md5, tamper_check = session_cookie_string[:32], session_cookie_string[32:]
- if md5.new(session_md5 + TAMPER_SECRET).hexdigest() != tamper_check:
+ if md5.new(session_md5 + SECRET_KEY + 'auth').hexdigest() != tamper_check:
raise SuspiciousOperation, "User may have tampered with session cookie."
return get_object(session_md5__exact=session_md5, select_related=True)