Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added fallback signers and switch back to sha1 #113

Merged
merged 8 commits into from Oct 26, 2018

Conversation

Projects
None yet
2 participants
@mitsuhiko
Copy link
Member

commented Oct 26, 2018

This rolls back the signing algorithm to HMAC-SHA1 by default and it
adds support for fallback signers. This way a future version of itsdangerous
could rotate to a different algorithm without discarding everything else.

The fallbacks are just supported for the normal serializers.

Refs #112 #111

@mitsuhiko mitsuhiko requested a review from davidism Oct 26, 2018

mitsuhiko added some commits Oct 26, 2018

@mitsuhiko mitsuhiko merged commit af4856a into master Oct 26, 2018

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
@ThiefMaster

This comment has been minimized.

Copy link
Member

commented Oct 26, 2018

Do we support SHA1 and SHA512 in 1.1? If 1.1 cannot deserialize data from 1.0, the release should probably be 2.0.

@mitsuhiko

This comment has been minimized.

Copy link
Member Author

commented Oct 26, 2018

I can make the default config support SHA-512.

@mitsuhiko mitsuhiko deleted the feature/sha1 branch Oct 26, 2018

netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this pull request Nov 10, 2018

Update py-itsdangerous to 1.1.0.
Version 1.1.0
-------------

Released 2018-10-26

-   Change default signing algorithm back to SHA-1. (`#113`_)
-   Added a default SHA-512 fallback for users who used the yanked 1.0.0
    release which defaulted to SHA-512. (`#114`_)
-   Add support for fallback algorithms during deserialization to
    support changing the default in the future without breaking existing
    signatures. (`#113`_)
-   Changed capitalization of packages back to lowercase as the change
    in capitalization broke some tooling. (`#113`_)

.. _#113: pallets/itsdangerous#113
.. _#114: pallets/itsdangerous#114


Version 1.0.0
-------------

Released 2018-10-18

YANKED

*Note*: This release was yanked from PyPI because it changed the default
algorithm to SHA-512. This decision was reverted in 1.1.0 and it remains
at SHA1.

-   Drop support for Python 2.6 and 3.3.
-   Refactor code from a single module to a package. Any object in the
    API docs is still importable from the top-level ``itsdangerous``
    name, but other imports will need to be changed. A future release
    will remove many of these compatibility imports. (`#107`_)
-   Optimize how timestamps are serialized and deserialized. (`#13`_)
-   ``base64_decode`` raises ``BadData`` when it is passed invalid data.
    (`#27`_)
-   Ensure value is bytes when signing to avoid a ``TypeError`` on
    Python 3. (`#29`_)
-   Add a ``serializer_kwargs`` argument to ``Serializer``, which is
    passed to ``dumps`` during ``dump_payload``. (`#36`_)
-   More compact JSON dumps for unicode strings. (`#38`_)
-   Use the full timestamp rather than an offset, allowing dates before
    2011. (`#46`_)
-   Detect a ``sep`` character that may show up in the signature itself
    and raise a ``ValueError``. (`#62`_)
-   Use a consistent signature for keyword arguments for
    ``Serializer.load_payload`` in subclasses. (`#74`_, `#75`_)
-   Change default intermediate hash from SHA-1 to SHA-512. (`#80`_)
-   Convert JWS exp header to an int when loading. (`#99`_)

.. _#13: pallets/itsdangerous#13
.. _#27: pallets/itsdangerous#27
.. _#29: pallets/itsdangerous#29
.. _#36: pallets/itsdangerous#36
.. _#38: pallets/itsdangerous#38
.. _#46: pallets/itsdangerous#46
.. _#62: pallets/itsdangerous#62
.. _#74: pallets/itsdangerous#74
.. _#75: pallets/itsdangerous#75
.. _#80: pallets/itsdangerous#80
.. _#99: pallets/itsdangerous#99
.. _#107: pallets/itsdangerous#107
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.