Refs #27468 -- Removed support for the pre-Django 3.1 signatures in Signer and signing.dumps()/loads().

Per deprecation timeline.
This commit is contained in:
Mariusz Felisiak 2021-01-11 21:57:48 +01:00
parent 8250145a0c
commit d32a232fe9
3 changed files with 9 additions and 30 deletions

View File

@ -120,9 +120,6 @@ def loads(s, key=None, salt='django.core.signing', serializer=JSONSerializer, ma
class Signer: class Signer:
# RemovedInDjango40Warning.
legacy_algorithm = 'sha1'
def __init__(self, key=None, sep=':', salt=None, algorithm=None): def __init__(self, key=None, sep=':', salt=None, algorithm=None):
self.key = key or settings.SECRET_KEY self.key = key or settings.SECRET_KEY
self.sep = sep self.sep = sep
@ -139,10 +136,6 @@ class Signer:
def signature(self, value): def signature(self, value):
return base64_hmac(self.salt + 'signer', value, self.key, algorithm=self.algorithm) return base64_hmac(self.salt + 'signer', value, self.key, algorithm=self.algorithm)
def _legacy_signature(self, value):
# RemovedInDjango40Warning.
return base64_hmac(self.salt + 'signer', value, self.key, algorithm=self.legacy_algorithm)
def sign(self, value): def sign(self, value):
return '%s%s%s' % (value, self.sep, self.signature(value)) return '%s%s%s' % (value, self.sep, self.signature(value))
@ -150,12 +143,7 @@ class Signer:
if self.sep not in signed_value: if self.sep not in signed_value:
raise BadSignature('No "%s" found in value' % self.sep) raise BadSignature('No "%s" found in value' % self.sep)
value, sig = signed_value.rsplit(self.sep, 1) value, sig = signed_value.rsplit(self.sep, 1)
if ( if constant_time_compare(sig, self.signature(value)):
constant_time_compare(sig, self.signature(value)) or (
self.legacy_algorithm and
constant_time_compare(sig, self._legacy_signature(value))
)
):
return value return value
raise BadSignature('Signature "%s" does not match' % sig) raise BadSignature('Signature "%s" does not match' % sig)

View File

@ -285,3 +285,10 @@ to remove usage of these features.
use the SHA-1 hashing algorithm) is removed. use the SHA-1 hashing algorithm) is removed.
* Support for the pre-Django 3.1 encoding format of sessions is removed. * Support for the pre-Django 3.1 encoding format of sessions is removed.
* Support for the pre-Django 3.1 ``django.core.signing.Signer`` signatures
(encoded with the SHA-1 algorithm) is removed.
* Support for the pre-Django 3.1 ``django.core.signing.dumps()`` signatures
(encoded with the SHA-1 algorithm) in ``django.core.signing.loads()`` is
removed.

View File

@ -67,14 +67,6 @@ class TestSigner(SimpleTestCase):
with self.assertRaisesMessage(InvalidAlgorithm, msg): with self.assertRaisesMessage(InvalidAlgorithm, msg):
signer.sign('hello') signer.sign('hello')
def test_legacy_signature(self):
# RemovedInDjango40Warning: pre-Django 3.1 signatures won't be
# supported.
signer = signing.Signer()
sha1_sig = 'foo:l-EMM5FtewpcHMbKFeQodt3X9z8'
self.assertNotEqual(signer.sign('foo'), sha1_sig)
self.assertEqual(signer.unsign(sha1_sig), 'foo')
def test_sign_unsign(self): def test_sign_unsign(self):
"sign/unsign should be reversible" "sign/unsign should be reversible"
signer = signing.Signer('predictable-secret') signer = signing.Signer('predictable-secret')
@ -151,14 +143,6 @@ class TestSigner(SimpleTestCase):
self.assertNotEqual(o, signing.dumps(o, compress=True)) self.assertNotEqual(o, signing.dumps(o, compress=True))
self.assertEqual(o, signing.loads(signing.dumps(o, compress=True))) self.assertEqual(o, signing.loads(signing.dumps(o, compress=True)))
def test_dumps_loads_legacy_signature(self):
# RemovedInDjango40Warning: pre-Django 3.1 signatures won't be
# supported.
value = 'a string \u2020'
# SHA-1 signed value.
signed = 'ImEgc3RyaW5nIFx1MjAyMCI:1k1beT:ZfNhN1kdws7KosUleOvuYroPHEc'
self.assertEqual(signing.loads(signed), value)
@ignore_warnings(category=RemovedInDjango40Warning) @ignore_warnings(category=RemovedInDjango40Warning)
def test_dumps_loads_default_hashing_algorithm_sha1(self): def test_dumps_loads_default_hashing_algorithm_sha1(self):
value = 'a string \u2020' value = 'a string \u2020'