From d32a232fe92e0162030c7905f877d8a07c09e6c7 Mon Sep 17 00:00:00 2001 From: Mariusz Felisiak Date: Mon, 11 Jan 2021 21:57:48 +0100 Subject: [PATCH] Refs #27468 -- Removed support for the pre-Django 3.1 signatures in Signer and signing.dumps()/loads(). Per deprecation timeline. --- django/core/signing.py | 14 +------------- docs/releases/4.0.txt | 7 +++++++ tests/signing/tests.py | 18 +----------------- 3 files changed, 9 insertions(+), 30 deletions(-) diff --git a/django/core/signing.py b/django/core/signing.py index a5bccfbdc8..804b6e773c 100644 --- a/django/core/signing.py +++ b/django/core/signing.py @@ -120,9 +120,6 @@ def loads(s, key=None, salt='django.core.signing', serializer=JSONSerializer, ma class Signer: - # RemovedInDjango40Warning. - legacy_algorithm = 'sha1' - def __init__(self, key=None, sep=':', salt=None, algorithm=None): self.key = key or settings.SECRET_KEY self.sep = sep @@ -139,10 +136,6 @@ class Signer: def signature(self, value): return base64_hmac(self.salt + 'signer', value, self.key, algorithm=self.algorithm) - def _legacy_signature(self, value): - # RemovedInDjango40Warning. - return base64_hmac(self.salt + 'signer', value, self.key, algorithm=self.legacy_algorithm) - def sign(self, value): return '%s%s%s' % (value, self.sep, self.signature(value)) @@ -150,12 +143,7 @@ class Signer: if self.sep not in signed_value: raise BadSignature('No "%s" found in value' % self.sep) value, sig = signed_value.rsplit(self.sep, 1) - if ( - constant_time_compare(sig, self.signature(value)) or ( - self.legacy_algorithm and - constant_time_compare(sig, self._legacy_signature(value)) - ) - ): + if constant_time_compare(sig, self.signature(value)): return value raise BadSignature('Signature "%s" does not match' % sig) diff --git a/docs/releases/4.0.txt b/docs/releases/4.0.txt index a6f5bdb12e..0088953b3e 100644 --- a/docs/releases/4.0.txt +++ b/docs/releases/4.0.txt @@ -285,3 +285,10 @@ to remove usage of these features. use the SHA-1 hashing algorithm) is removed. * Support for the pre-Django 3.1 encoding format of sessions is removed. + +* Support for the pre-Django 3.1 ``django.core.signing.Signer`` signatures + (encoded with the SHA-1 algorithm) is removed. + +* Support for the pre-Django 3.1 ``django.core.signing.dumps()`` signatures + (encoded with the SHA-1 algorithm) in ``django.core.signing.loads()`` is + removed. diff --git a/tests/signing/tests.py b/tests/signing/tests.py index 50b2b0d9bb..f4c20b9aff 100644 --- a/tests/signing/tests.py +++ b/tests/signing/tests.py @@ -67,14 +67,6 @@ class TestSigner(SimpleTestCase): with self.assertRaisesMessage(InvalidAlgorithm, msg): signer.sign('hello') - def test_legacy_signature(self): - # RemovedInDjango40Warning: pre-Django 3.1 signatures won't be - # supported. - signer = signing.Signer() - sha1_sig = 'foo:l-EMM5FtewpcHMbKFeQodt3X9z8' - self.assertNotEqual(signer.sign('foo'), sha1_sig) - self.assertEqual(signer.unsign(sha1_sig), 'foo') - def test_sign_unsign(self): "sign/unsign should be reversible" signer = signing.Signer('predictable-secret') @@ -151,20 +143,12 @@ class TestSigner(SimpleTestCase): self.assertNotEqual(o, signing.dumps(o, compress=True)) self.assertEqual(o, signing.loads(signing.dumps(o, compress=True))) - def test_dumps_loads_legacy_signature(self): - # RemovedInDjango40Warning: pre-Django 3.1 signatures won't be - # supported. - value = 'a string \u2020' - # SHA-1 signed value. - signed = 'ImEgc3RyaW5nIFx1MjAyMCI:1k1beT:ZfNhN1kdws7KosUleOvuYroPHEc' - self.assertEqual(signing.loads(signed), value) - @ignore_warnings(category=RemovedInDjango40Warning) def test_dumps_loads_default_hashing_algorithm_sha1(self): value = 'a string \u2020' with self.settings(DEFAULT_HASHING_ALGORITHM='sha1'): signed = signing.dumps(value) - self.assertEqual(signing.loads(signed), value) + self.assertEqual(signing.loads(signed), value) def test_decode_detects_tampering(self): "loads should raise exception for tampered objects"