Opened 18 years ago
Closed 17 years ago
#2249 closed enhancement (invalid)
MD5 is broken sometimes, an option to use SHA would be appreciated.
Reported by: | Owned by: | nobody | |
---|---|---|---|
Component: | Contrib apps | Version: | |
Severity: | normal | Keywords: | modpython md5 session |
Cc: | nikl@… | Triage Stage: | Design decision needed |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
Machine Info:
Debian Linux 2.4.26-1-386
mod_python 3.1
Apache2
Python 2.3
Description:
Apparently my version of mod_python is not generating md5 strings well. As a result, the session was throwing a "Suspicious Operation" exception when checking for cookie tampering. I am not the first person that this has happened to.
The follwing fixed the problem:
Modify contrib/sessions/models.py and contrib/admin/views/decorators.py
- Import sha and change *md5* to *sha*
- Change encoded_data[:-32], encoded_data[-32:] to encoded_data[:-40], encoded_data[-40:]
Suggestion:
Add a SESSION_KEY_TYPE var to settings.py that allows the user to specify md5 or sha session keys.
Attachments (2)
Change History (7)
comment:1 by , 18 years ago
Cc: | added |
---|---|
Keywords: | modpython md5 session added |
comment:2 by , 18 years ago
for anybody who's also experiencing this problem, Alain Tesio mentioned
another odd factor and its workaround on the modpy-mailinglist:
http://modpython.org/pipermail/mod_python/2006-July/021544.html
comment:3 by , 18 years ago
I had the same problem, and a similar solution, instead of dumping the md5 I just test to see if it is working properly by
if (md5.new('testencrypt').hexdigest()!='17500f56515d37cd65a68aca1b4679a6')
If it fails then I use sha, if it passes I use md5.
comment:4 by , 18 years ago
Triage Stage: | Unreviewed → Design decision needed |
---|
From nikl's comment, this looks like it's caused by another library being installed: libmhash2
, not a Django problem.
Still, if it's a problem then perhaps we should have a work around?
comment:5 by , 17 years ago
Resolution: | → invalid |
---|---|
Status: | new → closed |
Since this appears to be caused by a third-party library breaking things that are out of our control, I'm going to mark invalid.
the topic has been brought up on the mailinglists, e.g.:
http://groups.google.com/group/django-users/browse_thread/thread/360d5b76ea2c614a/9e36f023614f8baf
http://groups.google.com/group/django-users/browse_thread/thread/eeb44c894342d6f7/4b951b6d3a8644dd
http://modpython.org/pipermail/mod_python/2006-June/021482.html
I'd like to propose that the hashing algorithm should be put somewhere else with the possibility to set the preferred hashing algorithm generally - since this is used in this several situations (sessions, postdata, comments,..). possibly something along the lines of the attached patch?