Hi all, This is in continuation to Simon's previous efforts about adding tools for easy signing, including secure cookies ([1], [2]).
Stephan (who is working on #9200 [3] -- improving the wizard in contrib.formtools) and me just updated the patch attached to ticket #12417 [4] with the recommended changes according to the mailing list threads and the Trac ticket: http://code.djangoproject.com/attachment/ticket/12417/ticket12417-v4.diff The complete changes (as noted) are: - Moved from django.utils.signed to django.core.signing - Removed the seperator argument to the Signer.sign and Signer.unsign methods and moved it to a class attribute - Added key prefix ('django.http.cookies') to Signer instantiation - Changed key ordering from `"signer" + key + salt` to `salt + "signer" + key` to lower the chance for brute force attacks - PEP8 and other style changes - Use constant_time_compare from django.utils.crypto for timing attack proof signature verification - Updated and fixed docs - Changed setting name from COOKIE_SIGNER_BACKEND to SIGNING_BACKEND We'd appreciate any further comments before I commit this patch, given the formtools wizard being dependent on it for its cookie storage backend. As always don't hesitate to ask if there are any questions. Best, Stephan and Jannis 1: http://groups.google.com/group/django-developers/browse_thread/thread/d9d635afb6d1820f/ 2: http://groups.google.com/group/django-developers/browse_thread/thread/297e8b22006f7f3a/ 3: http://code.djangoproject.com/ticket/9200 4: http://code.djangoproject.com/ticket/12417 -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
