Fixed #16285 -- Removed a misleading comment from the signing code, thanks PaulM.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@16458 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-06-26 16:52:01 +00:00 · 2011-06-26 16:52:01 +00:00 · 32ea1285ab
parent 352b7ffaf0
commit 32ea1285ab
1 changed files with 4 additions and 2 deletions
--- a/django/core/signing.py
+++ b/django/core/signing.py
@ -96,8 +96,10 @@ def dumps(obj, key=None, salt='django.core.signing', compress=False):
    save some space. Prepends a '.' to signify compression. This is included
    in the signature, to protect against zip bombs.

-    Salt can be used to further salt the hash, in case you're worried
-    that the NSA might try to brute-force your SHA-1 protected secret.
+    Salt can be used to namespace the hash, so that a signed string is
+    only valid for a given namespace. Leaving this at the default
+    value or re-using a salt value across different parts of your
+    application without good cause is a security risk.
    """
    json = simplejson.dumps(obj, separators=(',', ':'))