Opened 18 years ago

Closed 17 years ago

#2249 closed enhancement (invalid)

MD5 is broken sometimes, an option to use SHA would be appreciated.

Reported by: pol@… Owned by: nobody
Component: Contrib apps Version:
Severity: normal Keywords: modpython md5 session
Cc: nikl@… Triage Stage: Design decision needed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Machine Info:
Debian Linux 2.4.26-1-386
mod_python 3.1
Apache2
Python 2.3

Description:
Apparently my version of mod_python is not generating md5 strings well. As a result, the session was throwing a "Suspicious Operation" exception when checking for cookie tampering. I am not the first person that this has happened to.

The follwing fixed the problem:
Modify contrib/sessions/models.py and contrib/admin/views/decorators.py

  • Import sha and change *md5* to *sha*
  • Change encoded_data[:-32], encoded_data[-32:] to encoded_data[:-40], encoded_data[-40:]

Suggestion:
Add a SESSION_KEY_TYPE var to settings.py that allows the user to specify md5 or sha session keys.

Attachments (2)

svn.diff (4.1 KB ) - added by nikl@… 18 years ago.
svn diff of the changed files
hashes.py (1.1 KB ) - added by nikl@… 18 years ago.
i had put this is in django/utils/hashes.py

Download all attachments as: .zip

Change History (7)

comment:1 by nikl@…, 18 years ago

Cc: nikl@… added
Keywords: modpython md5 session added

the topic has been brought up on the mailinglists, e.g.:

http://groups.google.com/group/django-users/browse_thread/thread/360d5b76ea2c614a/9e36f023614f8baf
http://groups.google.com/group/django-users/browse_thread/thread/eeb44c894342d6f7/4b951b6d3a8644dd
http://modpython.org/pipermail/mod_python/2006-June/021482.html

I'd like to propose that the hashing algorithm should be put somewhere else with the possibility to set the preferred hashing algorithm generally - since this is used in this several situations (sessions, postdata, comments,..). possibly something along the lines of the attached patch?

by nikl@…, 18 years ago

Attachment: svn.diff added

svn diff of the changed files

by nikl@…, 18 years ago

Attachment: hashes.py added

i had put this is in django/utils/hashes.py

comment:2 by nikl@…, 18 years ago

for anybody who's also experiencing this problem, Alain Tesio mentioned
another odd factor and its workaround on the modpy-mailinglist:

http://modpython.org/pipermail/mod_python/2006-July/021544.html

comment:3 by Paul Egges, 17 years ago

I had the same problem, and a similar solution, instead of dumping the md5 I just test to see if it is working properly by

if (md5.new('testencrypt').hexdigest()!='17500f56515d37cd65a68aca1b4679a6')

If it fails then I use sha, if it passes I use md5.

comment:4 by Chris Beaven, 17 years ago

Triage Stage: UnreviewedDesign decision needed

From nikl's comment, this looks like it's caused by another library being installed: libmhash2, not a Django problem.

Still, if it's a problem then perhaps we should have a work around?

comment:5 by James Bennett, 17 years ago

Resolution: invalid
Status: newclosed

Since this appears to be caused by a third-party library breaking things that are out of our control, I'm going to mark invalid.

Note: See TracTickets for help on using tickets.
Back to Top