diff options
| author | Artem Kosenko <kosc@hotkosc.ru> | 2020-07-13 20:40:38 +0300 |
|---|---|---|
| committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2020-11-11 12:45:34 +0100 |
| commit | b7f500396e05cd1f0bb8901fce16e2d8393d2779 (patch) | |
| tree | 1944befc1df7139131dd33c5ff57b96fc575df5c /django | |
| parent | 721c95ba0b67eb46422dcf05a4274960e49c8894 (diff) | |
Fixed #31757 -- Adjusted system check for SECRET_KEY to warn about autogenerated default keys.
Thanks Nick Pope, René Fleschenberg, and Carlton Gibson for reviews.
Diffstat (limited to 'django')
| -rw-r--r-- | django/core/checks/security/base.py | 14 | ||||
| -rw-r--r-- | django/core/management/commands/startproject.py | 3 |
2 files changed, 11 insertions, 6 deletions
diff --git a/django/core/checks/security/base.py b/django/core/checks/security/base.py index d96c318add..8cf3d1d61e 100644 --- a/django/core/checks/security/base.py +++ b/django/core/checks/security/base.py @@ -9,6 +9,7 @@ REFERRER_POLICY_VALUES = { 'strict-origin-when-cross-origin', 'unsafe-url', } +SECRET_KEY_INSECURE_PREFIX = 'django-insecure-' SECRET_KEY_MIN_LENGTH = 50 SECRET_KEY_MIN_UNIQUE_CHARACTERS = 5 @@ -68,12 +69,14 @@ W008 = Warning( ) W009 = Warning( - "Your SECRET_KEY has less than %(min_length)s characters or less than " - "%(min_unique_chars)s unique characters. Please generate a long and random " - "SECRET_KEY, otherwise many of Django's security-critical features will be " - "vulnerable to attack." % { + "Your SECRET_KEY has less than %(min_length)s characters, less than " + "%(min_unique_chars)s unique characters, or it's prefixed with " + "'%(insecure_prefix)s' indicating that it was generated automatically by " + "Django. Please generate a long and random SECRET_KEY, otherwise many of " + "Django's security-critical features will be vulnerable to attack." % { 'min_length': SECRET_KEY_MIN_LENGTH, 'min_unique_chars': SECRET_KEY_MIN_UNIQUE_CHARACTERS, + 'insecure_prefix': SECRET_KEY_INSECURE_PREFIX, }, id='security.W009', ) @@ -195,7 +198,8 @@ def check_secret_key(app_configs, **kwargs): else: passed_check = ( len(set(secret_key)) >= SECRET_KEY_MIN_UNIQUE_CHARACTERS and - len(secret_key) >= SECRET_KEY_MIN_LENGTH + len(secret_key) >= SECRET_KEY_MIN_LENGTH and + not secret_key.startswith(SECRET_KEY_INSECURE_PREFIX) ) return [] if passed_check else [W009] diff --git a/django/core/management/commands/startproject.py b/django/core/management/commands/startproject.py index 7e09a25e91..164ccdffb5 100644 --- a/django/core/management/commands/startproject.py +++ b/django/core/management/commands/startproject.py @@ -1,3 +1,4 @@ +from django.core.checks.security.base import SECRET_KEY_INSECURE_PREFIX from django.core.management.templates import TemplateCommand from ..utils import get_random_secret_key @@ -15,6 +16,6 @@ class Command(TemplateCommand): target = options.pop('directory') # Create a random SECRET_KEY to put it in the main settings. - options['secret_key'] = get_random_secret_key() + options['secret_key'] = SECRET_KEY_INSECURE_PREFIX + get_random_secret_key() super().handle('project', project_name, target, **options) |
