You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hello, i have an issue when using TextHmacField as an encrypted fields
First, i'm using version 2.1.1,
then i check the attribute of "encrypt_sql" in TextHmacField HMAC_SQL = "hmac(%s, '{}', 'sha512')".format(settings.PGCRYPTO_KEY)
However, when i upgrade to the latest version of your library
Suddenly, the format was changed into HMAC_SQL = "hmac(%s, '{}', 'sha512')"
Can you tell me why the format string of PGCRYPTO_KEY is removed?
The text was updated successfully, but these errors were encountered:
The reason the format string of PGCRYPTO_KEY was removed in the latest version of django-pgcrypto-fields (version 2.3.0 onwards) is to improve security.
Previous versions of django-pgcrypto-fields used string interpolation to insert the value of settings.PGCRYPTO_KEY into the HMAC_SQL string, which can introduce a security vulnerability called SQL injection, where an attacker can manipulate the input data to execute malicious SQL code. Removing the format string and directly including the PGCRYPTO_KEY value in the HMAC_SQL string eliminates this vulnerability.
However, if you really need the old behavior, you can still use version 2.2.0 or earlier, or modify the source code of the latest version to include the format string.
Hello, i have an issue when using TextHmacField as an encrypted fields
First, i'm using version 2.1.1,
then i check the attribute of "encrypt_sql" in TextHmacField
HMAC_SQL = "hmac(%s, '{}', 'sha512')".format(settings.PGCRYPTO_KEY)
However, when i upgrade to the latest version of your library
Suddenly, the format was changed into
HMAC_SQL = "hmac(%s, '{}', 'sha512')"
Can you tell me why the format string of PGCRYPTO_KEY is removed?
The text was updated successfully, but these errors were encountered: