diff options
| author | Claude Paroz <claude@2xlibre.net> | 2020-02-13 20:55:48 +0100 |
|---|---|---|
| committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2020-04-15 12:49:14 +0200 |
| commit | 71c4fb7beb8e3293243140e4bd74e53989196440 (patch) | |
| tree | 543c9d7c08e5f2a5ab8e7b7a63d55cea3da983f3 /docs | |
| parent | 4bb33bb07450ea9b623877417c28e6489246f51c (diff) | |
Refs #27468 -- Changed default Signer algorithm to SHA-256.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/internals/deprecation.txt | 3 | ||||
| -rw-r--r-- | docs/releases/3.1.txt | 8 | ||||
| -rw-r--r-- | docs/topics/signing.txt | 15 |
3 files changed, 23 insertions, 3 deletions
diff --git a/docs/internals/deprecation.txt b/docs/internals/deprecation.txt index 257b9a3bf4..76b379ef5a 100644 --- a/docs/internals/deprecation.txt +++ b/docs/internals/deprecation.txt @@ -54,6 +54,9 @@ details on these changes. * Support for the pre-Django 3.1 encoding format of sessions will be removed. +* Support for the pre-Django 3.1 ``django.core.signing.Signer`` signatures + (encoded with the SHA-1 algorithm) will be removed. + * The ``get_request`` argument for ``django.utils.deprecation.MiddlewareMixin.__init__()`` will be required and won't accept ``None``. diff --git a/docs/releases/3.1.txt b/docs/releases/3.1.txt index 384fa43dfb..55f539d534 100644 --- a/docs/releases/3.1.txt +++ b/docs/releases/3.1.txt @@ -404,6 +404,14 @@ Security origins. If you need the previous behavior, explicitly set :setting:`SECURE_REFERRER_POLICY` to ``None``. +* The default :class:`django.core.signing.Signer` algorithm is changed to the + SHA-256. Support for signatures made with the old SHA-1 algorithm remains + until Django 4.0. + + Also, the new ``algorithm`` parameter of the + :class:`~django.core.signing.Signer` allows customizing the hashing + algorithm. + Serialization ~~~~~~~~~~~~~ diff --git a/docs/topics/signing.txt b/docs/topics/signing.txt index 5fa537c579..7927333914 100644 --- a/docs/topics/signing.txt +++ b/docs/topics/signing.txt @@ -81,12 +81,17 @@ generate signatures. You can use a different secret by passing it to the >>> value 'My string:EkfQJafvGyiofrdGnuthdxImIJw' -.. class:: Signer(key=None, sep=':', salt=None) +.. class:: Signer(key=None, sep=':', salt=None, algorithm='sha256') Returns a signer which uses ``key`` to generate signatures and ``sep`` to separate values. ``sep`` cannot be in the `URL safe base64 alphabet <https://tools.ietf.org/html/rfc4648#section-5>`_. This alphabet contains - alphanumeric characters, hyphens, and underscores. + alphanumeric characters, hyphens, and underscores. ``algorithm`` must be an + algorithm supported by :py:mod:`hashlib`. + + .. versionchanged:: 3.1 + + The ``algorithm`` parameter was added. Using the ``salt`` argument --------------------------- @@ -139,7 +144,7 @@ created within a specified period of time:: >>> signer.unsign(value, max_age=timedelta(seconds=20)) 'hello' -.. class:: TimestampSigner(key=None, sep=':', salt=None) +.. class:: TimestampSigner(key=None, sep=':', salt=None, algorithm='sha256') .. method:: sign(value) @@ -151,6 +156,10 @@ created within a specified period of time:: otherwise raises ``SignatureExpired``. The ``max_age`` parameter can accept an integer or a :py:class:`datetime.timedelta` object. + .. versionchanged:: 3.1 + + The ``algorithm`` parameter was added. + Protecting complex data structures ---------------------------------- |
