New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Admin cannot be accessed on FIPS-mode system #10184
Comments
Hey @nutjob4life, Thank you for raising this. A PR would be most welcome. If you are not using Gravatar, you could set |
Hi @zerolab, I've got a PR nearly, but I'm not sure how to write a unit test for it. I guess I could monkey-patch the hashlib and fake an |
Hi @nutjob4life, indeed it is a bit tricky to test this one. For reference, Django handled this in django/django#14763 and it seems they didn't add tests either (unless I missed it in a separate commit outside of that PR). We also have another usage of wagtail/wagtail/embeds/embeds.py Lines 68 to 69 in b3b53c8
I think ideally we should fix it in both instances. Feel free to start a draft PR and we'll see what we can do! |
You got it @laymonage! Draft PR posted. |
Issue Summary
When accessing the Wagtail admin on a security-restricted system (such as on SELinux with FIPS mode enabled), "Server Error (500)" is produced. This prevents Wagtail from being used on new U.S. Government systems, for example.
The issue stems from this code (dealing with the Gravatar handling for the sidebar on the admin UI):
wagtail/wagtail/users/utils.py
Line 43 in b3b53c8
On security-restricted systems, the MD5 hash algorithm is disabled and produces an error such as:
Starting with Python 3.9, it's possible to pass a flag
usedforsecurity=False
to MD5 to indicate that it's not being used for security but for fingerprinting or other non-secure purposes.Steps to Reproduce
At this point, visit http://localhost:8080/admin and log in. The console then displays:
Workaround
Patch
wagtail/users/utils.py
changing 43 to read:👉 Note: This requires Python 3.9 or higher.
Additional Uses
@laymonage points out that there's a second call to
md5
inwagtail/wagtail/embeds/embeds.py
Lines 68 to 69 in b3b53c8
Technical details
python --version
:Python 3.9.12
pip show django | grep Version
:Version: 4.1.7
pip show wagtail | grep Version:
:Version: 4.2
You're using Lynx 2. If you believe this is incorrect, then please email us to let us know!
The text was updated successfully, but these errors were encountered: