Ticket #2249: svn.diff

conf/global_settings.py

@@ -221 +221 @@
 # Hint: you really don't!
 TRANSACTIONS_MANAGED = False
 
+# Which hashing algorithm do you prefer? (see django.util.hashes for available algorithms)
+FAVORITE_HASH_ALGO = "md5"
+
 ##############
 # MIDDLEWARE #
 ##############

contrib/sessions/models.py

@@ -1 @@
-import base64, md5, random, sys
+import base64, random, sys
 import cPickle as pickle
 from django.db import models
+from django.utils.hashes import hash
 from django.utils.translation import gettext_lazy as _
 from django.conf import settings
 
@@ -8 +9 @@
     def encode(self, session_dict):
         "Returns the given session dictionary pickled and encoded as a string."
         pickled = pickle.dumps(session_dict)
-        pickled_md5 = md5.new(pickled + settings.SECRET_KEY).hexdigest()
-        return base64.encodestring(pickled + pickled_md5)
+        pickled_hash = hash.new(pickled + settings.SECRET_KEY).hexdigest()
+        return base64.encodestring(pickled + pickled_hash)
 
     def get_new_session_key(self):
         "Returns session key that isn't being used."
         # The random module is seeded when this Apache child is created.
         # Use person_id and SECRET_KEY as added salt.
         while 1:
-            session_key = md5.new(str(random.randint(0, sys.maxint - 1)) + str(random.randint(0, sys.maxint - 1)) + settings.SECRET_KEY).hexdigest()
+            session_key = hash.new(str(random.randint(0, sys.maxint - 1)) + str(random.randint(0, sys.maxint - 1)) + settings.SECRET_KEY).hexdigest()
             try:
                 self.get(session_key=session_key)
             except self.model.DoesNotExist:
@@ -49 +50 @@
 
     def get_decoded(self):
         encoded_data = base64.decodestring(self.session_data)
-        pickled, tamper_check = encoded_data[:-32], encoded_data[-32:]
-        if md5.new(pickled + settings.SECRET_KEY).hexdigest() != tamper_check:
+        pickled, tamper_check = encoded_data[:hash.digest_size*-2], encoded_data[hash.digest_size*-2:]
+        if hash.new(pickled + settings.SECRET_KEY).hexdigest() != tamper_check:
             from django.core.exceptions import SuspiciousOperation
             raise SuspiciousOperation, "User tampered with session cookie."
         try:

contrib/admin/views/decorators.py

@@ -2 +2 @@
 from django.conf import settings
 from django.contrib.auth.models import User, SESSION_KEY
 from django.shortcuts import render_to_response
+from django.utils.hashes import hash
 from django.utils.translation import gettext_lazy
-import base64, datetime, md5
+import base64, datetime
 import cPickle as pickle
 
 ERROR_MESSAGE = gettext_lazy("Please enter a correct username and password. Note that both fields are case-sensitive.")
@@ -28 +29 @@
 
 def _encode_post_data(post_data):
     pickled = pickle.dumps(post_data)
-    pickled_md5 = md5.new(pickled + settings.SECRET_KEY).hexdigest()
-    return base64.encodestring(pickled + pickled_md5)
+    pickled_hash = hash.new(pickled + settings.SECRET_KEY).hexdigest()
+    return base64.encodestring(pickled + pickled_hash)
 
 def _decode_post_data(encoded_data):
     encoded_data = base64.decodestring(encoded_data)
-    pickled, tamper_check = encoded_data[:-32], encoded_data[-32:]
-    if md5.new(pickled + settings.SECRET_KEY).hexdigest() != tamper_check:
+    pickled, tamper_check = encoded_data[:hash.digest_size*-2], encoded_data[hash.digest_size*-2:]
+    if hash.new(pickled + settings.SECRET_KEY).hexdigest() != tamper_check:
         from django.core.exceptions import SuspiciousOperation
         raise SuspiciousOperation, "User may have tampered with session cookie."
     return pickle.loads(pickled)