Code

Opened 8 years ago

Closed 7 years ago

#2249 closed enhancement (invalid)

MD5 is broken sometimes, an option to use SHA would be appreciated.

Reported by: pol@… Owned by: nobody
Component: Contrib apps Version:
Severity: normal Keywords: modpython md5 session
Cc: nikl@… Triage Stage: Design decision needed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

Machine Info:
Debian Linux 2.4.26-1-386
mod_python 3.1
Apache2
Python 2.3

Description:
Apparently my version of mod_python is not generating md5 strings well. As a result, the session was throwing a "Suspicious Operation" exception when checking for cookie tampering. I am not the first person that this has happened to.

The follwing fixed the problem:
Modify contrib/sessions/models.py and contrib/admin/views/decorators.py

  • Import sha and change *md5* to *sha*
  • Change encoded_data[:-32], encoded_data[-32:] to encoded_data[:-40], encoded_data[-40:]

Suggestion:
Add a SESSION_KEY_TYPE var to settings.py that allows the user to specify md5 or sha session keys.

Attachments (2)

svn.diff (4.1 KB) - added by nikl@… 8 years ago.
svn diff of the changed files
hashes.py (1.1 KB) - added by nikl@… 8 years ago.
i had put this is in django/utils/hashes.py

Download all attachments as: .zip

Change History (7)

comment:1 Changed 8 years ago by nikl@…

  • Cc nikl@… added
  • Keywords modpython md5 session added

the topic has been brought up on the mailinglists, e.g.:

http://groups.google.com/group/django-users/browse_thread/thread/360d5b76ea2c614a/9e36f023614f8baf
http://groups.google.com/group/django-users/browse_thread/thread/eeb44c894342d6f7/4b951b6d3a8644dd
http://modpython.org/pipermail/mod_python/2006-June/021482.html

I'd like to propose that the hashing algorithm should be put somewhere else with the possibility to set the preferred hashing algorithm generally - since this is used in this several situations (sessions, postdata, comments,..). possibly something along the lines of the attached patch?

Changed 8 years ago by nikl@…

svn diff of the changed files

Changed 8 years ago by nikl@…

i had put this is in django/utils/hashes.py

comment:2 Changed 8 years ago by nikl@…

for anybody who's also experiencing this problem, Alain Tesio mentioned
another odd factor and its workaround on the modpy-mailinglist:

http://modpython.org/pipermail/mod_python/2006-July/021544.html

comment:3 Changed 7 years ago by mountainpaul

I had the same problem, and a similar solution, instead of dumping the md5 I just test to see if it is working properly by

if (md5.new('testencrypt').hexdigest()!='17500f56515d37cd65a68aca1b4679a6')

If it fails then I use sha, if it passes I use md5.

comment:4 Changed 7 years ago by SmileyChris

  • Triage Stage changed from Unreviewed to Design decision needed

From nikl's comment, this looks like it's caused by another library being installed: libmhash2, not a Django problem.

Still, if it's a problem then perhaps we should have a work around?

comment:5 Changed 7 years ago by ubernostrum

  • Resolution set to invalid
  • Status changed from new to closed

Since this appears to be caused by a third-party library breaking things that are out of our control, I'm going to mark invalid.

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.