summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorClaude Paroz <claude@2xlibre.net>2020-02-13 20:55:48 +0100
committerMariusz Felisiak <felisiak.mariusz@gmail.com>2020-04-15 12:49:14 +0200
commit71c4fb7beb8e3293243140e4bd74e53989196440 (patch)
tree543c9d7c08e5f2a5ab8e7b7a63d55cea3da983f3 /docs
parent4bb33bb07450ea9b623877417c28e6489246f51c (diff)
Refs #27468 -- Changed default Signer algorithm to SHA-256.
Diffstat (limited to 'docs')
-rw-r--r--docs/internals/deprecation.txt3
-rw-r--r--docs/releases/3.1.txt8
-rw-r--r--docs/topics/signing.txt15
3 files changed, 23 insertions, 3 deletions
diff --git a/docs/internals/deprecation.txt b/docs/internals/deprecation.txt
index 257b9a3bf4..76b379ef5a 100644
--- a/docs/internals/deprecation.txt
+++ b/docs/internals/deprecation.txt
@@ -54,6 +54,9 @@ details on these changes.
* Support for the pre-Django 3.1 encoding format of sessions will be removed.
+* Support for the pre-Django 3.1 ``django.core.signing.Signer`` signatures
+ (encoded with the SHA-1 algorithm) will be removed.
+
* The ``get_request`` argument for
``django.utils.deprecation.MiddlewareMixin.__init__()`` will be required and
won't accept ``None``.
diff --git a/docs/releases/3.1.txt b/docs/releases/3.1.txt
index 384fa43dfb..55f539d534 100644
--- a/docs/releases/3.1.txt
+++ b/docs/releases/3.1.txt
@@ -404,6 +404,14 @@ Security
origins. If you need the previous behavior, explicitly set
:setting:`SECURE_REFERRER_POLICY` to ``None``.
+* The default :class:`django.core.signing.Signer` algorithm is changed to the
+ SHA-256. Support for signatures made with the old SHA-1 algorithm remains
+ until Django 4.0.
+
+ Also, the new ``algorithm`` parameter of the
+ :class:`~django.core.signing.Signer` allows customizing the hashing
+ algorithm.
+
Serialization
~~~~~~~~~~~~~
diff --git a/docs/topics/signing.txt b/docs/topics/signing.txt
index 5fa537c579..7927333914 100644
--- a/docs/topics/signing.txt
+++ b/docs/topics/signing.txt
@@ -81,12 +81,17 @@ generate signatures. You can use a different secret by passing it to the
>>> value
'My string:EkfQJafvGyiofrdGnuthdxImIJw'
-.. class:: Signer(key=None, sep=':', salt=None)
+.. class:: Signer(key=None, sep=':', salt=None, algorithm='sha256')
Returns a signer which uses ``key`` to generate signatures and ``sep`` to
separate values. ``sep`` cannot be in the `URL safe base64 alphabet
<https://tools.ietf.org/html/rfc4648#section-5>`_. This alphabet contains
- alphanumeric characters, hyphens, and underscores.
+ alphanumeric characters, hyphens, and underscores. ``algorithm`` must be an
+ algorithm supported by :py:mod:`hashlib`.
+
+ .. versionchanged:: 3.1
+
+ The ``algorithm`` parameter was added.
Using the ``salt`` argument
---------------------------
@@ -139,7 +144,7 @@ created within a specified period of time::
>>> signer.unsign(value, max_age=timedelta(seconds=20))
'hello'
-.. class:: TimestampSigner(key=None, sep=':', salt=None)
+.. class:: TimestampSigner(key=None, sep=':', salt=None, algorithm='sha256')
.. method:: sign(value)
@@ -151,6 +156,10 @@ created within a specified period of time::
otherwise raises ``SignatureExpired``. The ``max_age`` parameter can
accept an integer or a :py:class:`datetime.timedelta` object.
+ .. versionchanged:: 3.1
+
+ The ``algorithm`` parameter was added.
+
Protecting complex data structures
----------------------------------