emit a warning if a user is using the default hashalg to AuthTkt
| | |
| | | attribute of the request. It no longer fails in this case. See |
| | | https://github.com/Pylons/pyramid/issues/700 |
| | | |
| | | Deprecations |
| | | ------------ |
| | | |
| | | - ``pyramid.authentication.AuthTktAuthenticationPolicy`` will emit a warning |
| | | if an application is using the policy without explicitly setting the |
| | | ``hashalg``. This is because the default is "md5" which is considered |
| | | insecure. If you really want "md5" then you must specify it explicitly to |
| | | get rid of the warning. |
| | | |
| | | Internals |
| | | --------- |
| | | |
| | |
| | | |
| | | - 1.6: Remove IContextURL and TraversalContextURL. |
| | | |
| | | - 1.7: Change ``pyramid.authentication.AuthTktAuthenticationPolicy`` default |
| | | ``hashalg`` to ``sha512``. |
| | | |
| | | Probably Bad Ideas |
| | | ------------------ |
| | | |
| | |
| | | import datetime |
| | | import re |
| | | import time as time_mod |
| | | import warnings |
| | | |
| | | from zope.interface import implementer |
| | | |
| | |
| | | be done somewhere else or in a subclass.""" |
| | | return [] |
| | | |
| | | _marker = object() |
| | | |
| | | @implementer(IAuthenticationPolicy) |
| | | class AuthTktAuthenticationPolicy(CallbackAuthenticationPolicy): |
| | | """A :app:`Pyramid` :term:`authentication policy` which |
| | |
| | | http_only=False, |
| | | wild_domain=True, |
| | | debug=False, |
| | | hashalg='md5', |
| | | hashalg=_marker |
| | | ): |
| | | if hashalg is _marker: |
| | | hashalg = 'md5' |
| | | warnings.warn('The MD5 hash function is known to have collisions. ' |
| | | 'We recommend instead that you update your code to ' |
| | | 'use the SHA512 algorithm by setting ' |
| | | 'hashalg=\'sha512\'. If you accept these risks ' |
| | | 'and want to continue using MD5, explicitly set ' |
| | | 'the hashalg=\'md5\' in your authentication policy. ' |
| | | 'The default algorithm used in this policy is ' |
| | | 'likely to change in the future.', |
| | | DeprecationWarning, |
| | | stacklevel=2) |
| | | self.cookie = AuthTktCookieHelper( |
| | | secret, |
| | | cookie_name=cookie_name, |
| | |
| | | import unittest |
| | | import warnings |
| | | from pyramid import testing |
| | | from pyramid.compat import ( |
| | | text_, |
| | |
| | | inst.cookie = DummyCookieHelper(cookieidentity) |
| | | return inst |
| | | |
| | | def setUp(self): |
| | | self.warnings = warnings.catch_warnings() |
| | | self.warnings.__enter__() |
| | | warnings.simplefilter('ignore', DeprecationWarning) |
| | | |
| | | def tearDown(self): |
| | | self.warnings.__exit__(None, None, None) |
| | | |
| | | def test_allargs(self): |
| | | # pass all known args |
| | | inst = self._getTargetClass()( |