diff --git a/django/core/signing.py b/django/core/signing.py index 3b0a48be33..054777a260 100644 --- a/django/core/signing.py +++ b/django/core/signing.py @@ -96,7 +96,7 @@ def dumps(obj, key=None, salt='django.core.signing', compress=False): save some space. Prepends a '.' to signify compression. This is included in the signature, to protect against zip bombs. - salt can be used to further salt the hash, in case you're worried + Salt can be used to further salt the hash, in case you're worried that the NSA might try to brute-force your SHA-1 protected secret. """ json = simplejson.dumps(obj, separators=(',', ':')) diff --git a/docs/topics/signing.txt b/docs/topics/signing.txt index 7989643297..da030af80e 100644 --- a/docs/topics/signing.txt +++ b/docs/topics/signing.txt @@ -31,7 +31,7 @@ Protecting the SECRET_KEY ========================= When you create a new Django project using :djadmin:`startproject`, the -``settings.py`` file it generates automatically gets a random +``settings.py`` file is generated automatically and gets a random :setting:`SECRET_KEY` value. This value is the key to securing signed data -- it is vital you keep this secure, or attackers could use it to generate their own signed values. @@ -58,7 +58,7 @@ You can retrieve the original value using the ``unsign`` method:: u'My string' If the signature or value have been altered in any way, a -``django.core.signing.BadSigature`` exception will be raised:: +``django.core.signing.BadSignature`` exception will be raised:: >>> value += 'm' >>> try: @@ -122,10 +122,10 @@ Protecting complex data structures ---------------------------------- If you wish to protect a list, tuple or dictionary you can do so using the -signing module's dumps and loads functions. These imitate Python's pickle -module, but uses JSON serialization under the hood. JSON ensures that even -if your :setting:`SECRET_KEY` is stolen an attacker will not be able to -execute arbitrary commands by exploiting the pickle format.:: +signing module's ``dumps`` and ``loads`` functions. These imitate Python's +pickle module, but use JSON serialization under the hood. JSON ensures that +even if your :setting:`SECRET_KEY` is stolen an attacker will not be able +to execute arbitrary commands by exploiting the pickle format.:: >>> from django.core import signing >>> value = signing.dumps({"foo": "bar"}) @@ -133,3 +133,11 @@ execute arbitrary commands by exploiting the pickle format.:: 'eyJmb28iOiJiYXIifQ:1NMg1b:zGcDE4-TCkaeGzLeW9UQwZesciI' >>> signing.loads(value) {'foo': 'bar'} + +.. function:: dumps(obj, key=None, salt='django.core.signing', compress=False) + + Returns URL-safe, sha1 signed base64 compressed JSON string. + +.. function:: loads(string, key=None, salt='django.core.signing', max_age=None) + + Reverse of dumps(), raises ``BadSignature`` if signature fails.