Refs #27468 -- Added tests and release notes for signing.dumps()/loads() changes.

Follow up to 71c4fb7beb.
2020-07-31 07:33:13 +02:00 · 2020-07-31 07:33:13 +02:00 · 1d6fdca557
parent f4ac167119
commit 1d6fdca557
4 changed files with 17 additions and 5 deletions
--- a/docs/internals/deprecation.txt
+++ b/docs/internals/deprecation.txt
@ -76,6 +76,10 @@ details on these changes.
 * Support for the pre-Django 3.1 ``django.core.signing.Signer`` signatures
  (encoded with the SHA-1 algorithm) will be removed.

+* Support for the pre-Django 3.1 ``django.core.signing.dumps()`` signatures
+  (encoded with the SHA-1 algorithm) in ``django.core.signing.loads()`` will be
+  removed.
+
 * Support for the pre-Django 3.1 user sessions (that use the SHA-1 algorithm)
  will be removed.

--- a/docs/releases/3.1.txt
+++ b/docs/releases/3.1.txt
@ -418,9 +418,10 @@ Security
  origins. If you need the previous behavior, explicitly set
  :setting:`SECURE_REFERRER_POLICY` to ``None``.

-* The default :class:`django.core.signing.Signer` algorithm is changed to the
-  SHA-256. Support for signatures made with the old SHA-1 algorithm remains
-  until Django 4.0.
+* The default algorithm of :class:`django.core.signing.Signer`,
+  :meth:`django.core.signing.loads`, and :meth:`django.core.signing.dumps` is
+  changed to the SHA-256. Support for signatures made with the old SHA-1
+  algorithm remains until Django 4.0.

  Also, the new ``algorithm`` parameter of the
  :class:`~django.core.signing.Signer` allows customizing the hashing
--- a/docs/topics/signing.txt
+++ b/docs/topics/signing.txt
@ -187,8 +187,8 @@ and tuples) if you pass in a tuple, you will get a list from

 .. function:: dumps(obj, key=None, salt='django.core.signing', serializer=JSONSerializer, compress=False)

-    Returns URL-safe, sha1 signed base64 compressed JSON string. Serialized
-    object is signed using :class:`~TimestampSigner`.
+    Returns URL-safe, signed base64 compressed JSON string. Serialized object
+    is signed using :class:`~TimestampSigner`.

 .. function:: loads(string, key=None, salt='django.core.signing', serializer=JSONSerializer, max_age=None)

--- a/tests/signing/tests.py
+++ b/tests/signing/tests.py
@ -126,6 +126,13 @@ class TestSigner(SimpleTestCase):
            self.assertNotEqual(o, signing.dumps(o, compress=True))
            self.assertEqual(o, signing.loads(signing.dumps(o, compress=True)))

+    def test_dumps_loads_legacy_signature(self):
+        # RemovedInDjango40Warning: pre-Django 3.1 signatures won't be
+        # supported.
+        value = 'a string \u2020'
+        signed = signing.dumps(value, algorithm='sha1')
+        self.assertEqual(signing.loads(signed), value)
+
    def test_decode_detects_tampering(self):
        "loads should raise exception for tampered objects"
        transforms = (