Opened 16 months ago
Closed 16 months ago
#34804 closed Cleanup/optimization (invalid)
legacy_algorithm = 'sha1' removed in django4.0 but new algorithm is hardcoded
Reported by: | Awais Qureshi | Owned by: | nobody |
---|---|---|---|
Component: | Core (Other) | Version: | 4.2 |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Unreviewed | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description (last modified by )
I am trying to upgrade from django32 to 42 and facing an issue in https://github.com/django/django/blob/3.2/django/core/signing.py#L124
in django32 it is like this
# RemovedInDjango40Warning.
legacy_algorithm = 'sha1'
and in init method it picks the value like this
self.algorithm = algorithm or settings.DEFAULT_HASHING_ALGORITHM
In django42 https://github.com/django/django/blob/4.2.4/django/core/signing.py#L204
algorithm getting value like this
self.algorithm = algorithm or "sha256" ( its a hardcoded value and can be pick via settings)
So here is my code I am using dump method to signing.dumps(data_to_sign, salt=self.key_salt)
and it furthers call the TimestampSigner
So I am not able to find any way to pass the sha1
which is my current prod setting.
Last option for me is to override the class.
since DEFAULT_HASHING_ALGORITHM
is removed. So may be pass param from dumps.
Change History (3)
comment:1 by , 16 months ago
Summary: | legacy_algorithm = 'sha1' removed in django4.0 but new algo algorithm is hardcoded → legacy_algorithm = 'sha1' removed in django4.0 but new algorithm is hardcoded |
---|
comment:2 by , 16 months ago
Description: | modified (diff) |
---|
comment:3 by , 16 months ago
Resolution: | → invalid |
---|---|
Status: | new → closed |
signing.dumps()
uses the defaultSinger
algorithm, i.e.SHA256
(as documented). I'm not sure why you want to force unsafeSHA1
, but you can do this by usingTimestampSigner(algorithm="sha1")
in your code.