summaryrefslogtreecommitdiff
path: root/django
diff options
context:
space:
mode:
authorArtem Kosenko <kosc@hotkosc.ru>2020-07-13 20:40:38 +0300
committerMariusz Felisiak <felisiak.mariusz@gmail.com>2020-11-11 12:45:34 +0100
commitb7f500396e05cd1f0bb8901fce16e2d8393d2779 (patch)
tree1944befc1df7139131dd33c5ff57b96fc575df5c /django
parent721c95ba0b67eb46422dcf05a4274960e49c8894 (diff)
Fixed #31757 -- Adjusted system check for SECRET_KEY to warn about autogenerated default keys.
Thanks Nick Pope, René Fleschenberg, and Carlton Gibson for reviews.
Diffstat (limited to 'django')
-rw-r--r--django/core/checks/security/base.py14
-rw-r--r--django/core/management/commands/startproject.py3
2 files changed, 11 insertions, 6 deletions
diff --git a/django/core/checks/security/base.py b/django/core/checks/security/base.py
index d96c318add..8cf3d1d61e 100644
--- a/django/core/checks/security/base.py
+++ b/django/core/checks/security/base.py
@@ -9,6 +9,7 @@ REFERRER_POLICY_VALUES = {
'strict-origin-when-cross-origin', 'unsafe-url',
}
+SECRET_KEY_INSECURE_PREFIX = 'django-insecure-'
SECRET_KEY_MIN_LENGTH = 50
SECRET_KEY_MIN_UNIQUE_CHARACTERS = 5
@@ -68,12 +69,14 @@ W008 = Warning(
)
W009 = Warning(
- "Your SECRET_KEY has less than %(min_length)s characters or less than "
- "%(min_unique_chars)s unique characters. Please generate a long and random "
- "SECRET_KEY, otherwise many of Django's security-critical features will be "
- "vulnerable to attack." % {
+ "Your SECRET_KEY has less than %(min_length)s characters, less than "
+ "%(min_unique_chars)s unique characters, or it's prefixed with "
+ "'%(insecure_prefix)s' indicating that it was generated automatically by "
+ "Django. Please generate a long and random SECRET_KEY, otherwise many of "
+ "Django's security-critical features will be vulnerable to attack." % {
'min_length': SECRET_KEY_MIN_LENGTH,
'min_unique_chars': SECRET_KEY_MIN_UNIQUE_CHARACTERS,
+ 'insecure_prefix': SECRET_KEY_INSECURE_PREFIX,
},
id='security.W009',
)
@@ -195,7 +198,8 @@ def check_secret_key(app_configs, **kwargs):
else:
passed_check = (
len(set(secret_key)) >= SECRET_KEY_MIN_UNIQUE_CHARACTERS and
- len(secret_key) >= SECRET_KEY_MIN_LENGTH
+ len(secret_key) >= SECRET_KEY_MIN_LENGTH and
+ not secret_key.startswith(SECRET_KEY_INSECURE_PREFIX)
)
return [] if passed_check else [W009]
diff --git a/django/core/management/commands/startproject.py b/django/core/management/commands/startproject.py
index 7e09a25e91..164ccdffb5 100644
--- a/django/core/management/commands/startproject.py
+++ b/django/core/management/commands/startproject.py
@@ -1,3 +1,4 @@
+from django.core.checks.security.base import SECRET_KEY_INSECURE_PREFIX
from django.core.management.templates import TemplateCommand
from ..utils import get_random_secret_key
@@ -15,6 +16,6 @@ class Command(TemplateCommand):
target = options.pop('directory')
# Create a random SECRET_KEY to put it in the main settings.
- options['secret_key'] = get_random_secret_key()
+ options['secret_key'] = SECRET_KEY_INSECURE_PREFIX + get_random_secret_key()
super().handle('project', project_name, target, **options)