#34804 closed Cleanup/optimization (invalid)

legacy_algorithm = 'sha1' removed in django4.0 but new algorithm is hardcoded

Reported by: Awais Qureshi Owned by: nobody
Component: Core (Other) Version: 4.2
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Awais Qureshi)

I am trying to upgrade from django32 to 42 and facing an issue in https://github.com/django/django/blob/3.2/django/core/signing.py#L124

in django32 it is like this

# RemovedInDjango40Warning.

legacy_algorithm = 'sha1'

and in init method it picks the value like this
self.algorithm = algorithm or settings.DEFAULT_HASHING_ALGORITHM

In django42 https://github.com/django/django/blob/4.2.4/django/core/signing.py#L204

algorithm getting value like this

self.algorithm = algorithm or "sha256" ( its a hardcoded value and can be pick via settings)

So here is my code I am using dump method to signing.dumps(data_to_sign, salt=self.key_salt) and it furthers call the TimestampSigner So I am not able to find any way to pass the sha1 which is my current prod setting.

Last option for me is to override the class.

since DEFAULT_HASHING_ALGORITHM is removed. So may be pass param from dumps.

Change History (3)

comment:1 by Awais Qureshi, 16 months ago

Summary: legacy_algorithm = 'sha1' removed in django4.0 but new algo algorithm is hardcodedlegacy_algorithm = 'sha1' removed in django4.0 but new algorithm is hardcoded

comment:2 by Awais Qureshi, 16 months ago

Description: modified (diff)

comment:3 by Mariusz Felisiak, 16 months ago

Resolution: invalid
Status: newclosed

signing.dumps() uses the default Singer algorithm, i.e. SHA256 (as documented). I'm not sure why you want to force unsafe SHA1, but you can do this by using TimestampSigner(algorithm="sha1") in your code.

Note: See TracTickets for help on using tickets.
Back to Top