Refs #27468 -- Added tests and release notes for signing.dumps()/loads() changes.
Follow up to 71c4fb7beb
.
This commit is contained in:
parent
f4ac167119
commit
1d6fdca557
|
@ -76,6 +76,10 @@ details on these changes.
|
||||||
* Support for the pre-Django 3.1 ``django.core.signing.Signer`` signatures
|
* Support for the pre-Django 3.1 ``django.core.signing.Signer`` signatures
|
||||||
(encoded with the SHA-1 algorithm) will be removed.
|
(encoded with the SHA-1 algorithm) will be removed.
|
||||||
|
|
||||||
|
* Support for the pre-Django 3.1 ``django.core.signing.dumps()`` signatures
|
||||||
|
(encoded with the SHA-1 algorithm) in ``django.core.signing.loads()`` will be
|
||||||
|
removed.
|
||||||
|
|
||||||
* Support for the pre-Django 3.1 user sessions (that use the SHA-1 algorithm)
|
* Support for the pre-Django 3.1 user sessions (that use the SHA-1 algorithm)
|
||||||
will be removed.
|
will be removed.
|
||||||
|
|
||||||
|
|
|
@ -418,9 +418,10 @@ Security
|
||||||
origins. If you need the previous behavior, explicitly set
|
origins. If you need the previous behavior, explicitly set
|
||||||
:setting:`SECURE_REFERRER_POLICY` to ``None``.
|
:setting:`SECURE_REFERRER_POLICY` to ``None``.
|
||||||
|
|
||||||
* The default :class:`django.core.signing.Signer` algorithm is changed to the
|
* The default algorithm of :class:`django.core.signing.Signer`,
|
||||||
SHA-256. Support for signatures made with the old SHA-1 algorithm remains
|
:meth:`django.core.signing.loads`, and :meth:`django.core.signing.dumps` is
|
||||||
until Django 4.0.
|
changed to the SHA-256. Support for signatures made with the old SHA-1
|
||||||
|
algorithm remains until Django 4.0.
|
||||||
|
|
||||||
Also, the new ``algorithm`` parameter of the
|
Also, the new ``algorithm`` parameter of the
|
||||||
:class:`~django.core.signing.Signer` allows customizing the hashing
|
:class:`~django.core.signing.Signer` allows customizing the hashing
|
||||||
|
|
|
@ -187,8 +187,8 @@ and tuples) if you pass in a tuple, you will get a list from
|
||||||
|
|
||||||
.. function:: dumps(obj, key=None, salt='django.core.signing', serializer=JSONSerializer, compress=False)
|
.. function:: dumps(obj, key=None, salt='django.core.signing', serializer=JSONSerializer, compress=False)
|
||||||
|
|
||||||
Returns URL-safe, sha1 signed base64 compressed JSON string. Serialized
|
Returns URL-safe, signed base64 compressed JSON string. Serialized object
|
||||||
object is signed using :class:`~TimestampSigner`.
|
is signed using :class:`~TimestampSigner`.
|
||||||
|
|
||||||
.. function:: loads(string, key=None, salt='django.core.signing', serializer=JSONSerializer, max_age=None)
|
.. function:: loads(string, key=None, salt='django.core.signing', serializer=JSONSerializer, max_age=None)
|
||||||
|
|
||||||
|
|
|
@ -126,6 +126,13 @@ class TestSigner(SimpleTestCase):
|
||||||
self.assertNotEqual(o, signing.dumps(o, compress=True))
|
self.assertNotEqual(o, signing.dumps(o, compress=True))
|
||||||
self.assertEqual(o, signing.loads(signing.dumps(o, compress=True)))
|
self.assertEqual(o, signing.loads(signing.dumps(o, compress=True)))
|
||||||
|
|
||||||
|
def test_dumps_loads_legacy_signature(self):
|
||||||
|
# RemovedInDjango40Warning: pre-Django 3.1 signatures won't be
|
||||||
|
# supported.
|
||||||
|
value = 'a string \u2020'
|
||||||
|
signed = signing.dumps(value, algorithm='sha1')
|
||||||
|
self.assertEqual(signing.loads(signed), value)
|
||||||
|
|
||||||
def test_decode_detects_tampering(self):
|
def test_decode_detects_tampering(self):
|
||||||
"loads should raise exception for tampered objects"
|
"loads should raise exception for tampered objects"
|
||||||
transforms = (
|
transforms = (
|
||||||
|
|
Loading…
Reference in New Issue