-
Notifications
You must be signed in to change notification settings - Fork 83
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix critical security issue with misusing the Django Signer API
After the code was refactored to use the official Signer class the salt was passed wrongly as secret key, replacing the SECRET_KEY set in Django settings file. This allows, with verification enabled, to guess the signature by a potential attacker very easily. In reset password case, the guessing by attacker can be mitigated somewhat by using RESET_PASSWORD_VERIFICATION_ONE_TIME_USE but it leads to a different signature schema. This bug affects versions 0.2.*, 0.3.*, 0.4.*
- Loading branch information
Showing
4 changed files
with
70 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
26d094f
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Many years have passed, but you may be amused to know that django 4.2 no longer allows positional arguments to signer. See bullet here: https://docs.djangoproject.com/en/4.2/releases/4.2/#id1
26d094f
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Indeed this is amusing, I guess I wasn't the only one bitten by this issue :D (passing salt wrongly).
But kudos go to @peterthomassen for finding that bug in the code (here is detailed security advisory ).