id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
33199	Deprecate passing positional arguments to Signer.	Daniel Finch	Abhinav Yadav	"We discovered a vulnerability in one of our applications recently which was caused by an inaccurate instantiation of `django.core.signing.Signer`. The developer intended to use the user's email address as the salt for the Signing instance but instead caused it to be used as the key. Here's an example code block that demonstrates the problem:

{{{#!python
signer = Signer(self.context['request'].user.email)
signed_data = signer.sign_object(dict(
    license_number='...',
    product_id='...',
    device_count='...'
))
}}}

In our case, this signed data was then being used to verify a later request and generate an active license. This meant that an attacker could feasibly generate their own licenses if they realised that their email address was the key. The fix for this was to add `salt=` in front of the email variable. It occurred to us that this is a relatively easy mistake to make and could be avoided if the signature of `Signer.__init__` was changed thusly:

{{{#!diff
- def __init__(self, key=None, sep=':', salt=None, algorithm=None):
+ def __init__(self, *, key=None, sep=':', salt=None, algorithm=None):
}}}

That is, adding a `*` after `self` to force the developer to name the parameters."	New feature	closed	Core (Other)	dev	Normal	fixed		Florian Apolloner Daniel Finch Bill Collins Abhyudai	Ready for checkin	1	0	0	0	0	0