Opened 2 years ago
Closed 2 years ago
#34804 closed Cleanup/optimization (invalid)
legacy_algorithm = 'sha1' removed in django4.0 but new algorithm is hardcoded
| Reported by: | Awais Qureshi | Owned by: | nobody |
|---|---|---|---|
| Component: | Core (Other) | Version: | 4.2 |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description (last modified by )
I am trying to upgrade from django32 to 42 and facing an issue in https://github.com/django/django/blob/3.2/django/core/signing.py#L124
in django32 it is like this
# RemovedInDjango40Warning.
legacy_algorithm = 'sha1'
and in init method it picks the value like this
self.algorithm = algorithm or settings.DEFAULT_HASHING_ALGORITHM
In django42 https://github.com/django/django/blob/4.2.4/django/core/signing.py#L204
algorithm getting value like this
self.algorithm = algorithm or "sha256" ( its a hardcoded value and can be pick via settings)
So here is my code I am using dump method to signing.dumps(data_to_sign, salt=self.key_salt) and it furthers call the TimestampSigner So I am not able to find any way to pass the sha1 which is my current prod setting.
Last option for me is to override the class.
since DEFAULT_HASHING_ALGORITHM is removed. So may be pass param from dumps.
Change History (3)
comment:1 by , 2 years ago
| Summary: | legacy_algorithm = 'sha1' removed in django4.0 but new algo algorithm is hardcoded → legacy_algorithm = 'sha1' removed in django4.0 but new algorithm is hardcoded |
|---|
comment:2 by , 2 years ago
| Description: | modified (diff) |
|---|
comment:3 by , 2 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
signing.dumps()uses the defaultSingeralgorithm, i.e.SHA256(as documented). I'm not sure why you want to force unsafeSHA1, but you can do this by usingTimestampSigner(algorithm="sha1")in your code.