Refs #27468 -- Added tests and release notes for signing.dumps()/loads() changes.

Follow up to 71c4fb7beb.
This commit is contained in:
Mariusz Felisiak 2020-07-31 07:33:13 +02:00
parent f4ac167119
commit 1d6fdca557
4 changed files with 17 additions and 5 deletions

View File

@ -76,6 +76,10 @@ details on these changes.
* Support for the pre-Django 3.1 ``django.core.signing.Signer`` signatures * Support for the pre-Django 3.1 ``django.core.signing.Signer`` signatures
(encoded with the SHA-1 algorithm) will be removed. (encoded with the SHA-1 algorithm) will be removed.
* Support for the pre-Django 3.1 ``django.core.signing.dumps()`` signatures
(encoded with the SHA-1 algorithm) in ``django.core.signing.loads()`` will be
removed.
* Support for the pre-Django 3.1 user sessions (that use the SHA-1 algorithm) * Support for the pre-Django 3.1 user sessions (that use the SHA-1 algorithm)
will be removed. will be removed.

View File

@ -418,9 +418,10 @@ Security
origins. If you need the previous behavior, explicitly set origins. If you need the previous behavior, explicitly set
:setting:`SECURE_REFERRER_POLICY` to ``None``. :setting:`SECURE_REFERRER_POLICY` to ``None``.
* The default :class:`django.core.signing.Signer` algorithm is changed to the * The default algorithm of :class:`django.core.signing.Signer`,
SHA-256. Support for signatures made with the old SHA-1 algorithm remains :meth:`django.core.signing.loads`, and :meth:`django.core.signing.dumps` is
until Django 4.0. changed to the SHA-256. Support for signatures made with the old SHA-1
algorithm remains until Django 4.0.
Also, the new ``algorithm`` parameter of the Also, the new ``algorithm`` parameter of the
:class:`~django.core.signing.Signer` allows customizing the hashing :class:`~django.core.signing.Signer` allows customizing the hashing

View File

@ -187,8 +187,8 @@ and tuples) if you pass in a tuple, you will get a list from
.. function:: dumps(obj, key=None, salt='django.core.signing', serializer=JSONSerializer, compress=False) .. function:: dumps(obj, key=None, salt='django.core.signing', serializer=JSONSerializer, compress=False)
Returns URL-safe, sha1 signed base64 compressed JSON string. Serialized Returns URL-safe, signed base64 compressed JSON string. Serialized object
object is signed using :class:`~TimestampSigner`. is signed using :class:`~TimestampSigner`.
.. function:: loads(string, key=None, salt='django.core.signing', serializer=JSONSerializer, max_age=None) .. function:: loads(string, key=None, salt='django.core.signing', serializer=JSONSerializer, max_age=None)

View File

@ -126,6 +126,13 @@ class TestSigner(SimpleTestCase):
self.assertNotEqual(o, signing.dumps(o, compress=True)) self.assertNotEqual(o, signing.dumps(o, compress=True))
self.assertEqual(o, signing.loads(signing.dumps(o, compress=True))) self.assertEqual(o, signing.loads(signing.dumps(o, compress=True)))
def test_dumps_loads_legacy_signature(self):
# RemovedInDjango40Warning: pre-Django 3.1 signatures won't be
# supported.
value = 'a string \u2020'
signed = signing.dumps(value, algorithm='sha1')
self.assertEqual(signing.loads(signed), value)
def test_decode_detects_tampering(self): def test_decode_detects_tampering(self):
"loads should raise exception for tampered objects" "loads should raise exception for tampered objects"
transforms = ( transforms = (