Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Fixed #95 -- Added SECRET_KEY setting instead of hard-coding keys tha…

…t are shared for every Django installation. 'django-admin.py startproject' now creates a random SECRET_KEY. The auth and comments modules, and the admin middleware, all use SECRET_KEY now, instead of hard-coded values.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@230 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit 897d24b220a9615f036ffed663926851a7ec5e64 1 parent 43538e7
Adrian Holovaty authored July 20, 2005
15  django/bin/django-admin.py
@@ -340,15 +340,24 @@ def _start_helper(app_or_project, name, directory, other_name=''):
340 340
 
341 341
 def startproject(project_name, directory):
342 342
     "Creates a Django project for the given project_name in the given directory."
  343
+    from whrandom import choice
343 344
     _start_helper('project', project_name, directory)
344 345
     # Populate TEMPLATE_DIRS for the admin templates, based on where Django is
345 346
     # installed.
346  
-    settings_file = os.path.join(directory, project_name, 'settings/admin.py')
347  
-    settings_contents = open(settings_file, 'r').read()
348  
-    fp = open(settings_file, 'w')
  347
+    admin_settings_file = os.path.join(directory, project_name, 'settings/admin.py')
  348
+    settings_contents = open(admin_settings_file, 'r').read()
  349
+    fp = open(admin_settings_file, 'w')
349 350
     settings_contents = re.sub(r'(?s)\b(TEMPLATE_DIRS\s*=\s*\()(.*?)\)', "\\1\n    '%s',\\2)" % ADMIN_TEMPLATE_DIR, settings_contents)
350 351
     fp.write(settings_contents)
351 352
     fp.close()
  353
+    # Create a random SECRET_KEY hash, and put it in the main settings.
  354
+    main_settings_file = os.path.join(directory, project_name, 'settings/main.py')
  355
+    settings_contents = open(main_settings_file, 'r').read()
  356
+    fp = open(main_settings_file, 'w')
  357
+    secret_key = ''.join([choice('abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*(-_=+)') for i in range(50)])
  358
+    settings_contents = re.sub(r"(?<=SECRET_KEY = ')'", secret_key + "'", settings_contents)
  359
+    fp.write(settings_contents)
  360
+    fp.close()
352 361
 startproject.help_doc = "Creates a Django project directory structure for the given project name in the current directory."
353 362
 startproject.args = "[projectname]"
354 363
 
5  django/conf/global_settings.py
@@ -96,6 +96,11 @@
96 96
 IGNORABLE_404_STARTS = ('/cgi-bin/', '/_vti_bin', '/_vti_inf')
97 97
 IGNORABLE_404_ENDS = ('mail.pl', 'mailform.pl', 'mail.cgi', 'mailform.cgi', 'favicon.ico', '.php')
98 98
 
  99
+# A secret key for this particular Django installation. Used in secret-key
  100
+# hashing algorithms. Set this in your settings, or Django will complain
  101
+# loudly.
  102
+SECRET_KEY = ''
  103
+
99 104
 ##############
100 105
 # MIDDLEWARE #
101 106
 ##############
3  django/conf/project_template/settings/main.py
@@ -26,6 +26,9 @@
26 26
 # Example: "http://media.lawrence.com"
27 27
 MEDIA_URL = ''
28 28
 
  29
+# Make this unique, and don't share it with anybody.
  30
+SECRET_KEY = ''
  31
+
29 32
 ROOT_URLCONF = '{{ project_name }}.settings.urls.main'
30 33
 
31 34
 TEMPLATE_DIRS = (
6  django/contrib/comments/models/comments.py
@@ -31,9 +31,6 @@ class Comment(meta.Model):
31 31
         meta.ForeignKey(core.Site),
32 32
     )
33 33
     module_constants = {
34  
-        # used as shared secret between comment form and comment-posting script
35  
-        'COMMENT_SALT': 'ijw2f3_MRS_PIGGY_LOVES_KERMIT_avo#*5vv0(23j)(*',
36  
-
37 34
         # min. and max. allowed dimensions for photo resizing (in pixels)
38 35
         'MIN_PHOTO_DIMENSION': 5,
39 36
         'MAX_PHOTO_DIMENSION': 1000,
@@ -123,8 +120,9 @@ def _module_get_security_hash(options, photo_options, rating_options, target):
123 120
         'pa,ra') and target (something like 'lcom.eventtimes:5157'). Used to
124 121
         validate that submitted form options have not been tampered-with.
125 122
         """
  123
+        from django.conf.settings import SECRET_KEY
126 124
         import md5
127  
-        return md5.new(options + photo_options + rating_options + target + COMMENT_SALT).hexdigest()
  125
+        return md5.new(options + photo_options + rating_options + target + SECRET_KEY).hexdigest()
128 126
 
129 127
     def _module_get_rating_options(rating_string):
130 128
         """
8  django/middleware/admin.py
@@ -5,9 +5,7 @@
5 5
 from django.views.registration import passwords
6 6
 import base64, md5
7 7
 import cPickle as pickle
8  
-
9  
-# secret used in pickled data to guard against tampering
10  
-TAMPER_SECRET = '09VJWE9_RIZZO_j0jwfe09j'
  8
+from django.conf.settings import SECRET_KEY
11 9
 
12 10
 ERROR_MESSAGE = "Please enter a correct username and password. Note that both fields are case-sensitive."
13 11
 
@@ -108,13 +106,13 @@ def get_login_template_name(self):
108 106
 
109 107
 def encode_post_data(post_data):
110 108
     pickled = pickle.dumps(post_data)
111  
-    pickled_md5 = md5.new(pickled + TAMPER_SECRET).hexdigest()
  109
+    pickled_md5 = md5.new(pickled + SECRET_KEY).hexdigest()
112 110
     return base64.encodestring(pickled + pickled_md5)
113 111
 
114 112
 def decode_post_data(encoded_data):
115 113
     encoded_data = base64.decodestring(encoded_data)
116 114
     pickled, tamper_check = encoded_data[:-32], encoded_data[-32:]
117  
-    if md5.new(pickled + TAMPER_SECRET).hexdigest() != tamper_check:
  115
+    if md5.new(pickled + SECRET_KEY).hexdigest() != tamper_check:
118 116
         from django.core.exceptions import SuspiciousOperation
119 117
         raise SuspiciousOperation, "User may have tampered with session cookie."
120 118
     return pickle.loads(pickled)
16  django/models/auth.py
@@ -182,10 +182,6 @@ class Session(meta.Model):
182 182
         meta.DateTimeField('start_time', 'start time', auto_now=True),
183 183
     )
184 184
     module_constants = {
185  
-        # Used for providing pseudo-entropy in creating random session strings.
186  
-        'SESSION_SALT': 'ijw2f3_MUPPET_avo#*5)(*',
187  
-        # Secret used in cookie to guard against cookie tampering.
188  
-        'TAMPER_SECRET': 'lj908_PIGGY_j0vajeawej-092j3f',
189 185
         'TEST_COOKIE_NAME': 'testcookie',
190 186
         'TEST_COOKIE_VALUE': 'worked',
191 187
     }
@@ -195,26 +191,28 @@ def __repr__(self):
195 191
 
196 192
     def get_cookie(self):
197 193
         "Returns a tuple of the cookie name and value for this session."
  194
+        from django.conf.settings import AUTH_SESSION_COOKIE, SECRET_KEY
198 195
         import md5
199  
-        from django.conf.settings import AUTH_SESSION_COOKIE
200  
-        return AUTH_SESSION_COOKIE, self.session_md5 + md5.new(self.session_md5 + TAMPER_SECRET).hexdigest()
  196
+        return AUTH_SESSION_COOKIE, self.session_md5 + md5.new(self.session_md5 + SECRET_KEY + 'auth').hexdigest()
201 197
 
202 198
     def _module_create_session(user_id):
203 199
         "Registers a session and returns the session_md5."
  200
+        from django.conf.settings import SECRET_KEY
204 201
         import md5, random, sys
205 202
         # The random module is seeded when this Apache child is created.
206  
-        # Use person_id and SESSION_SALT as added salt.
207  
-        session_md5 = md5.new(str(random.randint(user_id, sys.maxint - 1)) + SESSION_SALT).hexdigest()
  203
+        # Use person_id and SECRET_KEY as added salt.
  204
+        session_md5 = md5.new(str(random.randint(user_id, sys.maxint - 1)) + SECRET_KEY).hexdigest()
208 205
         s = Session(None, user_id, session_md5, None)
209 206
         s.save()
210 207
         return s
211 208
 
212 209
     def _module_get_session_from_cookie(session_cookie_string):
  210
+        from django.conf.settings import SECRET_KEY
213 211
         import md5
214 212
         if not session_cookie_string:
215 213
             raise SessionDoesNotExist
216 214
         session_md5, tamper_check = session_cookie_string[:32], session_cookie_string[32:]
217  
-        if md5.new(session_md5 + TAMPER_SECRET).hexdigest() != tamper_check:
  215
+        if md5.new(session_md5 + SECRET_KEY + 'auth').hexdigest() != tamper_check:
218 216
             raise SuspiciousOperation, "User may have tampered with session cookie."
219 217
         return get_object(session_md5__exact=session_md5, select_related=True)
220 218
 

0 notes on commit 897d24b

Please sign in to comment.
Something went wrong with that request. Please try again.