Re: Call for feedback: django.utils.signed and signed cookies

2009-12-22 Thread Johannes Dollinger
Am 22.12.2009 um 08:20 schrieb Simon Willison: > On Dec 22, 12:52 am, Johannes Dollinger > wrote: >> I'd like some more kwargs to Signer and TimestampSigner. Mostly >> what's >> inhttp://dpaste.com/136418/(except the `separator` kwarg, which was >> a bad

Re: Call for feedback: django.utils.signed and signed cookies

2009-12-22 Thread Simon Willison
Having talked to James about this I'm holding off on the commit until we've had it reviewed by real cryptographers. I'll aim to get it in before the 1.2 beta feature freeze. Cheers, Simon -- You received this message because you are subscribed to the Google Groups "Django developers" group.

Re: Call for feedback: django.utils.signed and signed cookies

2009-12-22 Thread Simon Willison
On Dec 22, 6:22 am, Russell Keith-Magee wrote: > As far as the patch itself is concerned, looks good to me. My only > other request would be a serving of dogfood - if we're going to > include a signed cookie module, it would be nice to prove that it can > actually be used

Re: Call for feedback: django.utils.signed and signed cookies

2009-12-21 Thread Simon Willison
On Dec 22, 12:52 am, Johannes Dollinger wrote: > I'd like some more kwargs to Signer and TimestampSigner. Mostly what's   > inhttp://dpaste.com/136418/(except the `separator` kwarg, which was   > a bad idea as it depends on encode()): Signer(serializer=...)

Re: Call for feedback: django.utils.signed and signed cookies

2009-12-21 Thread Alex Gaynor
On Tue, Dec 22, 2009 at 12:22 AM, Russell Keith-Magee wrote: > On Tue, Dec 22, 2009 at 8:00 AM, Simon Willison > wrote: >> I've made some changes based on the feedback in this thread: >> >>

Re: Call for feedback: django.utils.signed and signed cookies

2009-12-21 Thread Russell Keith-Magee
On Tue, Dec 22, 2009 at 8:00 AM, Simon Willison wrote: > I've made some changes based on the feedback in this thread: > > http://github.com/simonw/django/commit/802952bbb8b763e65ee545c6a8f39524b20e147c > "Use sha('signer' + secret_key + salt) to derive the key for use in

Re: Call for feedback: django.utils.signed and signed cookies

2009-12-21 Thread SmileyChris
On Dec 22, 1:52 pm, Johannes Dollinger wrote: > There's a small bug in b64_decode(), the padding should be >         r = len(s) % 4 >         pad = '=' * (r and 4 - r or 0) Or even simpler: pad = '=' * (-len(s) % 4) -- You received this message because

Re: Call for feedback: django.utils.signed and signed cookies

2009-12-21 Thread Johannes Dollinger
There's a small bug in b64_decode(), the padding should be r = len(s) % 4 pad = '=' * (r and 4 - r or 0) I'd like some more kwargs to Signer and TimestampSigner. Mostly what's in http://dpaste.com/136418/ (except the `separator` kwarg, which was a bad idea as it depends on

Re: Call for feedback: django.utils.signed and signed cookies

2009-12-21 Thread Simon Willison
I've made some changes based on the feedback in this thread: http://github.com/simonw/django/commit/802952bbb8b763e65ee545c6a8f39524b20e147c "Use sha('signer' + secret_key + salt) to derive the key for use in the signature() method, addressing feedback from the django-developers list" The

Re: Call for feedback: django.utils.signed and signed cookies

2009-12-21 Thread Simon Willison
On Dec 21, 2:40 pm, Russell Keith-Magee wrote: >  * I'm not sure I like this being in django.utils. To me, it feels > like something that should be in django.core - along with caching, > serialization, etc, signing is a core piece of functionality that a > website will

Re: Call for feedback: django.utils.signed and signed cookies

2009-12-21 Thread Russell Keith-Magee
On Mon, Dec 21, 2009 at 7:43 PM, Simon Willison wrote: > I've uploaded the patch for adding signing and signed cookies to > Django: > > http://code.djangoproject.com/attachment/ticket/12417/ticket12417.diff > > You can also read the documentation directly on my GitHub

Re: Call for feedback: django.utils.signed and signed cookies

2009-12-21 Thread Marty Alchin
On Mon, Dec 21, 2009 at 8:00 AM, Luke Plant wrote: > Rather than use 'settings.SECRET_KEY' as the default HMAC key, > shouldn't we add a prefix so that any usage of SECRET_KEY can't be > (potentially) used to attack other usages?  We discussed this a while > back.  The new

Re: Call for feedback: django.utils.signed and signed cookies

2009-12-21 Thread Luke Plant
On Monday 21 December 2009 11:43:19 Simon Willison wrote: > The code has documentation and unit tests. The documentation isn't > 100% complete - I need to improve the explanation of what signing > is and why it is useful and document the new COOKIE_SIGNER_BACKEND > setting which allows users to

Call for feedback: django.utils.signed and signed cookies

2009-12-21 Thread Simon Willison
I've uploaded the patch for adding signing and signed cookies to Django: http://code.djangoproject.com/attachment/ticket/12417/ticket12417.diff You can also read the documentation directly on my GitHub branch: http://github.com/simonw/django/blob/signed/docs/topics/signing.txt