Ticket #2249: svn.diff

File svn.diff, 4.1 KB (added by nikl@…, 9 years ago)

svn diff of the changed files

  • conf/global_settings.py

     
    221221# Hint: you really don't!
    222222TRANSACTIONS_MANAGED = False
    223223
     224# Which hashing algorithm do you prefer? (see django.util.hashes for available algorithms)
     225FAVORITE_HASH_ALGO = "md5"
     226
    224227##############
    225228# MIDDLEWARE #
    226229##############
  • contrib/sessions/models.py

     
    1 import base64, md5, random, sys
     1import base64, random, sys
    22import cPickle as pickle
    33from django.db import models
     4from django.utils.hashes import hash
    45from django.utils.translation import gettext_lazy as _
    56from django.conf import settings
    67
     
    89    def encode(self, session_dict):
    910        "Returns the given session dictionary pickled and encoded as a string."
    1011        pickled = pickle.dumps(session_dict)
    11         pickled_md5 = md5.new(pickled + settings.SECRET_KEY).hexdigest()
    12         return base64.encodestring(pickled + pickled_md5)
     12        pickled_hash = hash.new(pickled + settings.SECRET_KEY).hexdigest()
     13        return base64.encodestring(pickled + pickled_hash)
    1314
    1415    def get_new_session_key(self):
    1516        "Returns session key that isn't being used."
    1617        # The random module is seeded when this Apache child is created.
    1718        # Use person_id and SECRET_KEY as added salt.
    1819        while 1:
    19             session_key = md5.new(str(random.randint(0, sys.maxint - 1)) + str(random.randint(0, sys.maxint - 1)) + settings.SECRET_KEY).hexdigest()
     20            session_key = hash.new(str(random.randint(0, sys.maxint - 1)) + str(random.randint(0, sys.maxint - 1)) + settings.SECRET_KEY).hexdigest()
    2021            try:
    2122                self.get(session_key=session_key)
    2223            except self.model.DoesNotExist:
     
    4950
    5051    def get_decoded(self):
    5152        encoded_data = base64.decodestring(self.session_data)
    52         pickled, tamper_check = encoded_data[:-32], encoded_data[-32:]
    53         if md5.new(pickled + settings.SECRET_KEY).hexdigest() != tamper_check:
     53        pickled, tamper_check = encoded_data[:hash.digest_size*-2], encoded_data[hash.digest_size*-2:]
     54        if hash.new(pickled + settings.SECRET_KEY).hexdigest() != tamper_check:
    5455            from django.core.exceptions import SuspiciousOperation
    5556            raise SuspiciousOperation, "User tampered with session cookie."
    5657        try:
  • contrib/admin/views/decorators.py

     
    22from django.conf import settings
    33from django.contrib.auth.models import User, SESSION_KEY
    44from django.shortcuts import render_to_response
     5from django.utils.hashes import hash
    56from django.utils.translation import gettext_lazy
    6 import base64, datetime, md5
     7import base64, datetime
    78import cPickle as pickle
    89
    910ERROR_MESSAGE = gettext_lazy("Please enter a correct username and password. Note that both fields are case-sensitive.")
     
    2829
    2930def _encode_post_data(post_data):
    3031    pickled = pickle.dumps(post_data)
    31     pickled_md5 = md5.new(pickled + settings.SECRET_KEY).hexdigest()
    32     return base64.encodestring(pickled + pickled_md5)
     32    pickled_hash = hash.new(pickled + settings.SECRET_KEY).hexdigest()
     33    return base64.encodestring(pickled + pickled_hash)
    3334
    3435def _decode_post_data(encoded_data):
    3536    encoded_data = base64.decodestring(encoded_data)
    36     pickled, tamper_check = encoded_data[:-32], encoded_data[-32:]
    37     if md5.new(pickled + settings.SECRET_KEY).hexdigest() != tamper_check:
     37    pickled, tamper_check = encoded_data[:hash.digest_size*-2], encoded_data[hash.digest_size*-2:]
     38    if hash.new(pickled + settings.SECRET_KEY).hexdigest() != tamper_check:
    3839        from django.core.exceptions import SuspiciousOperation
    3940        raise SuspiciousOperation, "User may have tampered with session cookie."
    4041    return pickle.loads(pickled)
Back to Top