From 1d6fdca557e674b9a789b51caadca8985e588492 Mon Sep 17 00:00:00 2001 From: Mariusz Felisiak Date: Fri, 31 Jul 2020 07:33:13 +0200 Subject: [PATCH] Refs #27468 -- Added tests and release notes for signing.dumps()/loads() changes. Follow up to 71c4fb7beb8e3293243140e4bd74e53989196440. --- docs/internals/deprecation.txt | 4 ++++ docs/releases/3.1.txt | 7 ++++--- docs/topics/signing.txt | 4 ++-- tests/signing/tests.py | 7 +++++++ 4 files changed, 17 insertions(+), 5 deletions(-) diff --git a/docs/internals/deprecation.txt b/docs/internals/deprecation.txt index 826c2ee814..e472d5a443 100644 --- a/docs/internals/deprecation.txt +++ b/docs/internals/deprecation.txt @@ -76,6 +76,10 @@ details on these changes. * Support for the pre-Django 3.1 ``django.core.signing.Signer`` signatures (encoded with the SHA-1 algorithm) will be removed. +* Support for the pre-Django 3.1 ``django.core.signing.dumps()`` signatures + (encoded with the SHA-1 algorithm) in ``django.core.signing.loads()`` will be + removed. + * Support for the pre-Django 3.1 user sessions (that use the SHA-1 algorithm) will be removed. diff --git a/docs/releases/3.1.txt b/docs/releases/3.1.txt index 22e47c93ae..59980ef310 100644 --- a/docs/releases/3.1.txt +++ b/docs/releases/3.1.txt @@ -418,9 +418,10 @@ Security origins. If you need the previous behavior, explicitly set :setting:`SECURE_REFERRER_POLICY` to ``None``. -* The default :class:`django.core.signing.Signer` algorithm is changed to the - SHA-256. Support for signatures made with the old SHA-1 algorithm remains - until Django 4.0. +* The default algorithm of :class:`django.core.signing.Signer`, + :meth:`django.core.signing.loads`, and :meth:`django.core.signing.dumps` is + changed to the SHA-256. Support for signatures made with the old SHA-1 + algorithm remains until Django 4.0. Also, the new ``algorithm`` parameter of the :class:`~django.core.signing.Signer` allows customizing the hashing diff --git a/docs/topics/signing.txt b/docs/topics/signing.txt index 43d1b00c4a..b015f4bd87 100644 --- a/docs/topics/signing.txt +++ b/docs/topics/signing.txt @@ -187,8 +187,8 @@ and tuples) if you pass in a tuple, you will get a list from .. function:: dumps(obj, key=None, salt='django.core.signing', serializer=JSONSerializer, compress=False) - Returns URL-safe, sha1 signed base64 compressed JSON string. Serialized - object is signed using :class:`~TimestampSigner`. + Returns URL-safe, signed base64 compressed JSON string. Serialized object + is signed using :class:`~TimestampSigner`. .. function:: loads(string, key=None, salt='django.core.signing', serializer=JSONSerializer, max_age=None) diff --git a/tests/signing/tests.py b/tests/signing/tests.py index 6b7268179d..76aa78fd91 100644 --- a/tests/signing/tests.py +++ b/tests/signing/tests.py @@ -126,6 +126,13 @@ class TestSigner(SimpleTestCase): self.assertNotEqual(o, signing.dumps(o, compress=True)) self.assertEqual(o, signing.loads(signing.dumps(o, compress=True))) + def test_dumps_loads_legacy_signature(self): + # RemovedInDjango40Warning: pre-Django 3.1 signatures won't be + # supported. + value = 'a string \u2020' + signed = signing.dumps(value, algorithm='sha1') + self.assertEqual(signing.loads(signed), value) + def test_decode_detects_tampering(self): "loads should raise exception for tampered objects" transforms = (