Changes between Initial Version and Version 2 of Ticket #32327


Ignore:
Timestamp:
Jan 6, 2021, 1:55:38 PM (4 years ago)
Author:
Mariusz Felisiak
Comment:

I don't think it's worth complexity, if someone will hit such secret they should buy a lottery ticket and regenerate a secret key.

Legend:

Unmodified
Added
Removed
Modified

  • Ticket #32327

    • Property Resolutionwontfix
    • Property Status newclosed
    • Property Type UncategorizedCleanup/optimization

  • Ticket #32327 – Description

    initial v2  
    1 [`check_secret_key()`](https://github.com/django/django/blob/6a054f768136de2caeaecf6c0fe9ffad76281373/django/core/checks/security/base.py#L192-L204) may return a W009 warning if the output of [`get_random_secret_key()`](https://github.com/django/django/blob/6a054f768136de2caeaecf6c0fe9ffad76281373/django/core/management/utils.py#L77-L82) has less than 5 unique characters. The probability of this occurring is extremely low (2.37595567e-25 if my math is correct), but this seems like a safe check to have anyway.
     1[https://github.com/django/django/blob/6a054f768136de2caeaecf6c0fe9ffad76281373/django/core/checks/security/base.py#L192-L204 check_secret_key()] may return a W009 warning if the output of [https://github.com/django/django/blob/6a054f768136de2caeaecf6c0fe9ffad76281373/django/core/management/utils.py#L77-L82 get_random_secret_key()] has less than 5 unique characters. The probability of this occurring is extremely low (2.37595567e-25 if my math is correct), but this seems like a safe check to have anyway.
    22
    33The patch would be simple: wrap `get_random_secret_key()` in a do-while (or a `while`, because Python) to ensure that the returned secret key is secure.
Back to Top