In this code: def signature(self, value, salt=''): # Derive a new key from the SECRET_KEY, using the optional salt key = sha_constructor('signer' + self.key + salt).hexdigest() return base64_hmac(value, key)
may I suggest putting the salt before the constant string "signer", like this: def signature(self, value, salt=''): # Derive a new key from the SECRET_KEY, using the optional salt key = sha_constructor(salt + 'signer' + self.key).hexdigest () ## THIS LINE IS DIFFERENT return base64_hmac(value, key) If a constant string comes first, an attacker can calculate the partial sha hash of 'signer' and cache the state, making this prefix pretty much useless. By putting the salt first, they'd have to do a lot more calculation. There are obviously other corresponding changes when you check the signature. -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.