Opened 4 years ago
Last modified 4 years ago
#32327 closed Cleanup/optimization
get_random_secret_key() should return a valid secret key — at Initial Version
| Reported by: | Sumanth Ratna | Owned by: | nobody |
|---|---|---|---|
| Component: | Core (Management commands) | Version: | 3.1 |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | yes | UI/UX: | no |
Description
[check_secret_key()](https://github.com/django/django/blob/6a054f768136de2caeaecf6c0fe9ffad76281373/django/core/checks/security/base.py#L192-L204) may return a W009 warning if the output of [get_random_secret_key()](https://github.com/django/django/blob/6a054f768136de2caeaecf6c0fe9ffad76281373/django/core/management/utils.py#L77-L82) has less than 5 unique characters. The probability of this occurring is extremely low (2.37595567e-25 if my math is correct), but this seems like a safe check to have anyway.
The patch would be simple: wrap get_random_secret_key() in a do-while (or a while, because Python) to ensure that the returned secret key is secure.
Note:
See TracTickets
for help on using tickets.