Django

Code

Ticket #2249 (closed: invalid)

Opened 3 years ago

Last modified 1 year ago

MD5 is broken sometimes, an option to use SHA would be appreciated.

Reported by: pol@ducker.org Assigned to: nobody
Milestone: Component: Contrib apps
Version: Keywords: modpython md5 session
Cc: nikl@nikl.net Triage Stage: Design decision needed
Has patch: 0 Needs documentation: 0
Needs tests: 0 Patch needs improvement: 0

Description

Machine Info: Debian Linux 2.4.26-1-386 mod_python 3.1 Apache2 Python 2.3

Description: Apparently my version of mod_python is not generating md5 strings well. As a result, the session was throwing a "Suspicious Operation" exception when checking for cookie tampering. I am not the first person that this has happened to.

The follwing fixed the problem: Modify contrib/sessions/models.py and contrib/admin/views/decorators.py

  • Import sha and change *md5* to *sha*
  • Change encoded_data[:-32], encoded_data[-32:] to encoded_data[:-40], encoded_data[-40:]

Suggestion: Add a SESSION_KEY_TYPE var to settings.py that allows the user to specify md5 or sha session keys.

Attachments

svn.diff (4.1 kB) - added by nikl@nikl.net on 06/27/06 16:04:52.
svn diff of the changed files
hashes.py (1.1 kB) - added by nikl@nikl.net on 06/27/06 16:06:20.
i had put this is in django/utils/hashes.py

Change History

06/27/06 16:03:56 changed by nikl@nikl.net

  • cc set to nikl@nikl.net.
  • keywords set to modpython md5 session.

the topic has been brought up on the mailinglists, e.g.:

http://groups.google.com/group/django-users/browse_thread/thread/360d5b76ea2c614a/9e36f023614f8baf http://groups.google.com/group/django-users/browse_thread/thread/eeb44c894342d6f7/4b951b6d3a8644dd http://modpython.org/pipermail/mod_python/2006-June/021482.html

I'd like to propose that the hashing algorithm should be put somewhere else with the possibility to set the preferred hashing algorithm generally - since this is used in this several situations (sessions, postdata, comments,..). possibly something along the lines of the attached patch?

06/27/06 16:04:52 changed by nikl@nikl.net

  • attachment svn.diff added.

svn diff of the changed files

06/27/06 16:06:20 changed by nikl@nikl.net

  • attachment hashes.py added.

i had put this is in django/utils/hashes.py

07/05/06 10:01:15 changed by nikl@nikl.net

for anybody who's also experiencing this problem, Alain Tesio mentioned another odd factor and its workaround on the modpy-mailinglist:

http://modpython.org/pipermail/mod_python/2006-July/021544.html

01/26/07 12:37:45 changed by mountainpaul

I had the same problem, and a similar solution, instead of dumping the md5 I just test to see if it is working properly by

if (md5.new('testencrypt').hexdigest()!='17500f56515d37cd65a68aca1b4679a6')

If it fails then I use sha, if it passes I use md5.

02/08/07 22:14:51 changed by SmileyChris

  • stage changed from Unreviewed to Design decision needed.

From nikl's comment, this looks like it's caused by another library being installed: libmhash2, not a Django problem.

Still, if it's a problem then perhaps we should have a work around?

09/16/07 07:56:18 changed by ubernostrum

  • status changed from new to closed.
  • resolution set to invalid.

Since this appears to be caused by a third-party library breaking things that are out of our control, I'm going to mark invalid.

Add/Change #2249 (MD5 is broken sometimes, an option to use SHA would be appreciated.)




Change Properties
Action