RedHatTraining/pyramid.git

parent: d964d983 | patch | commit | ignore whitespace

Merge pull request #2496 from Pylons/update/hashalg_authtkt

Michael Merickel

2016-04-15 ed4c2a03711277a665b89ed32d56a54bd3857de6

Merge pull request #2496 from Pylons/update/hashalg_authtkt

Switch to sha512 in AuthTktAuthenticationPolicy

3 files modified

	CHANGES.txt	81 ●●●●● patch \| view \| raw \| blame \| history
	TODO.txt	3 ●●●●● patch \| view \| raw \| blame \| history
	pyramid/authentication.py	49 ●●●●● patch \| view \| raw \| blame \| history

 CHANGES.txt

@@ -1,6 +1,22 @@
unreleased
==========

Backward Incompatibilities
--------------------------

- Following the Pyramid deprecation period (1.4 -> 1.6),
  AuthTktAuthenticationPolicy's default hashing algorithm is changing from md5
  to sha512. If you are using the authentication policy and need to continue
  using md5, please explicitly set hashalg to 'md5'.

  This change does mean that any existing auth tickets (and associated cookies)
  will no longer be valid, and users will no longer be logged in, and have to
  login to their accounts again. No other backwards incompatible changes have
  been made.

Features
--------

- Pyramid HTTPExceptions will now take into account the best match for the
  clients Accept header, and depending on what is requested will return
  text/html, application/json or text/plain. The default for */* is still
@@ -8,16 +24,38 @@
  receive a valid JSON response. See:
  https://github.com/Pylons/pyramid/pull/2489

- (Deprecation) Support for Python 3.3 will be removed in Pyramid 1.8.
  https://github.com/Pylons/pyramid/issues/2477

- A new event and interface (BeforeTraversal) has been introduced that will
  notify listeners before traversal starts in the router. See
  https://github.com/Pylons/pyramid/pull/2469 and
  https://github.com/Pylons/pyramid/pull/1876

- Python 2.6 is no longer supported by Pyramid. See
  https://github.com/Pylons/pyramid/issues/2368
- Add a new "view deriver" concept to Pyramid to allow framework authors to
  inject elements into the standard Pyramid view pipeline and affect all
  views in an application. This is similar to a decorator except that it
  has access to options passed to ``config.add_view`` and can affect other
  stages of the pipeline such as the raw response from a view or prior to
  security checks. See https://github.com/Pylons/pyramid/pull/2021


- Allow a leading ``=`` on the key of the request param predicate.
  For example, '=abc=1' is equivalent down to
  ``request.params['=abc'] == '1'``.
  See https://github.com/Pylons/pyramid/pull/1370

- A new ``request.invoke_exception_view(...)`` method which can be used to
  invoke an exception view and get back a response. This is useful for
  rendering an exception view outside of the context of the excview tween
  where you may need more control over the request.
  See https://github.com/Pylons/pyramid/pull/2393

- Allow using variable substitutions like ``%(LOGGING_LOGGER_ROOT_LEVEL)s``
  for logging sections of the .ini file and populate these variables from
  the ``pserve`` command line -- e.g.:
  ``pserve development.ini LOGGING_LOGGER_ROOT_LEVEL=DEBUG``
  See https://github.com/Pylons/pyramid/pull/2399

Documentation Changes
---------------------

- A complete overhaul of the docs:

@@ -37,8 +75,8 @@
  point for new projects.
  See https://github.com/Pylons/pyramid/pull/2024

- Dropped Python 3.2 support.
  See https://github.com/Pylons/pyramid/pull/2256
Bug Fixes
---------

- Fix ``pserve --browser`` to use the ``--server-name`` instead of the
  app name when selecting a section to use. This was only working for people
@@ -46,29 +84,18 @@
  ``[app:main]`` and ``[server:main]``.
  See https://github.com/Pylons/pyramid/pull/2292

- Allow a leading ``=`` on the key of the request param predicate.
  For example, '=abc=1' is equivalent down to
  ``request.params['=abc'] == '1'``.
  See https://github.com/Pylons/pyramid/pull/1370
Deprecations
------------

- A new ``request.invoke_exception_view(...)`` method which can be used to
  invoke an exception view and get back a response. This is useful for
  rendering an exception view outside of the context of the excview tween
  where you may need more control over the request.
  See https://github.com/Pylons/pyramid/pull/2393
- (Deprecation) Support for Python 3.3 will be removed in Pyramid 1.8.
  https://github.com/Pylons/pyramid/issues/2477

- Allow using variable substitutions like ``%(LOGGING_LOGGER_ROOT_LEVEL)s``
  for logging sections of the .ini file and populate these variables from
  the ``pserve`` command line -- e.g.:
  ``pserve development.ini LOGGING_LOGGER_ROOT_LEVEL=DEBUG``
  See https://github.com/Pylons/pyramid/pull/2399
- Python 2.6 is no longer supported by Pyramid. See
  https://github.com/Pylons/pyramid/issues/2368

- Add a new "view deriver" concept to Pyramid to allow framework authors to
  inject elements into the standard Pyramid view pipeline and affect all
  views in an application. This is similar to a decorator except that it
  has access to options passed to ``config.add_view`` and can affect other
  stages of the pipeline such as the raw response from a view or prior to
  security checks. See https://github.com/Pylons/pyramid/pull/2021
- Dropped Python 3.2 support.
  See https://github.com/Pylons/pyramid/pull/2256


1.6 (2015-04-14)
================

 TODO.txt

@@ -120,9 +120,6 @@

- 1.6: Remove IContextURL and TraversalContextURL.

- 1.7: Change ``pyramid.authentication.AuthTktAuthenticationPolicy`` default
  ``hashalg`` to ``sha512``.

- 1.8: Remove set_request_property.
- 1.8: Drop Python 3.3 support.


 pyramid/authentication.py

@@ -5,7 +5,6 @@
import base64
import re
import time as time_mod
import warnings

from zope.interface import implementer

@@ -417,19 +416,10 @@
        be done somewhere else or in a subclass."""
        return []

_marker = object()

@implementer(IAuthenticationPolicy)
class AuthTktAuthenticationPolicy(CallbackAuthenticationPolicy):
    """A :app:`Pyramid` :term:`authentication policy` which
    obtains data from a Pyramid "auth ticket" cookie.

    .. warning::

       The default hash algorithm used in this policy is MD5 and has known
       hash collision vulnerabilities. The risk of an exploit is low.
       However, for improved authentication security, use
       ``hashalg='sha512'``.

    Constructor Arguments

@@ -552,7 +542,7 @@

    ``hashalg``

       Default: ``md5`` (the literal string).
       Default: ``sha512`` (the literal string).

       Any hash algorithm supported by Python's ``hashlib.new()`` function
       can be used as the ``hashalg``.
@@ -562,20 +552,9 @@
       ``hashalg`` will imply that all existing users with a valid cookie will
       be required to re-login.

       A warning is emitted at startup if an explicit ``hashalg`` is not
       passed.  This is for backwards compatibility reasons.

       This option is available as of :app:`Pyramid` 1.4.

       Optional.

       .. note::

          ``md5`` is the default for backwards compatibility reasons. However,
          if you don't specify ``md5`` as the hashalg explicitly, a warning is
          issued at application startup time.  An explicit value of ``sha512``
          is recommended for improved security, and ``sha512`` will become the
          default in a future Pyramid version.

    ``debug``

@@ -601,34 +580,10 @@
                 http_only=False,
                 wild_domain=True,
                 debug=False,
                 hashalg=_marker,
                 hashalg='sha512',
                 parent_domain=False,
                 domain=None,
                 ):
        if hashalg is _marker:
            hashalg = 'md5'
            warnings.warn(
                'The MD5 hash function used by default by the '
                'AuthTktAuthenticationPolicy is known to be '
                'susceptible to collision attacks.  It is the current default '
                'for backwards compatibility reasons, but we recommend that '
                'you use the SHA512 algorithm instead for improved security.  '
                'Pass ``hashalg=\'sha512\'`` to the '
                'AuthTktAuthenticationPolicy constructor to do so.\n\nNote '
                'that a change to the hash algorithms will invalidate existing '
                'auth tkt cookies set by your application.  If backwards '
                'compatibility of existing auth tkt cookies is of greater '
                'concern than the risk posed by the potential for a hash '
                'collision, you\'ll want to continue using MD5 explicitly.  '
                'To do so, pass ``hashalg=\'md5\'`` in your application to '
                'the AuthTktAuthenticationPolicy constructor.   When you do so '
                'this warning will not be emitted again.  The default '
                'algorithm used in this policy will change in the future, so '
                'setting an explicit hashalg will futureproof your '
                'application.',
                DeprecationWarning,
                stacklevel=2
                )
        self.cookie = AuthTktCookieHelper(
            secret,
            cookie_name=cookie_name,

			@@ -1,6 +1,22 @@
			unreleased
			==========

			Backward Incompatibilities
			--------------------------

			- Following the Pyramid deprecation period (1.4 -> 1.6),
			AuthTktAuthenticationPolicy's default hashing algorithm is changing from md5
			to sha512. If you are using the authentication policy and need to continue
			using md5, please explicitly set hashalg to 'md5'.

			This change does mean that any existing auth tickets (and associated cookies)
			will no longer be valid, and users will no longer be logged in, and have to
			login to their accounts again. No other backwards incompatible changes have
			been made.

			Features
			--------

			- Pyramid HTTPExceptions will now take into account the best match for the
			clients Accept header, and depending on what is requested will return
			text/html, application/json or text/plain. The default for / is still
			@@ -8,16 +24,38 @@
			receive a valid JSON response. See:
			https://github.com/Pylons/pyramid/pull/2489

			- (Deprecation) Support for Python 3.3 will be removed in Pyramid 1.8.
			https://github.com/Pylons/pyramid/issues/2477

			- A new event and interface (BeforeTraversal) has been introduced that will
			notify listeners before traversal starts in the router. See
			https://github.com/Pylons/pyramid/pull/2469 and
			https://github.com/Pylons/pyramid/pull/1876

			- Python 2.6 is no longer supported by Pyramid. See
			https://github.com/Pylons/pyramid/issues/2368
			- Add a new "view deriver" concept to Pyramid to allow framework authors to
			inject elements into the standard Pyramid view pipeline and affect all
			views in an application. This is similar to a decorator except that it
			has access to options passed to ``config.add_view`` and can affect other
			stages of the pipeline such as the raw response from a view or prior to
			security checks. See https://github.com/Pylons/pyramid/pull/2021


			- Allow a leading ``=`` on the key of the request param predicate.
			For example, '=abc=1' is equivalent down to
			``request.params['=abc'] == '1'``.
			See https://github.com/Pylons/pyramid/pull/1370

			- A new ``request.invoke_exception_view(...)`` method which can be used to
			invoke an exception view and get back a response. This is useful for
			rendering an exception view outside of the context of the excview tween
			where you may need more control over the request.
			See https://github.com/Pylons/pyramid/pull/2393

			- Allow using variable substitutions like ``%(LOGGING_LOGGER_ROOT_LEVEL)s``
			for logging sections of the .ini file and populate these variables from
			the ``pserve`` command line -- e.g.:
			``pserve development.ini LOGGING_LOGGER_ROOT_LEVEL=DEBUG``
			See https://github.com/Pylons/pyramid/pull/2399

			Documentation Changes
			---------------------

			- A complete overhaul of the docs:

			@@ -37,8 +75,8 @@
			point for new projects.
			See https://github.com/Pylons/pyramid/pull/2024

			- Dropped Python 3.2 support.
			See https://github.com/Pylons/pyramid/pull/2256
			Bug Fixes
			---------

			- Fix ``pserve --browser`` to use the ``--server-name`` instead of the
			app name when selecting a section to use. This was only working for people
			@@ -46,29 +84,18 @@
			``[app:main]`` and ``[server:main]``.
			See https://github.com/Pylons/pyramid/pull/2292

			- Allow a leading ``=`` on the key of the request param predicate.
			For example, '=abc=1' is equivalent down to
			``request.params['=abc'] == '1'``.
			See https://github.com/Pylons/pyramid/pull/1370
			Deprecations
			------------

			- A new ``request.invoke_exception_view(...)`` method which can be used to
			invoke an exception view and get back a response. This is useful for
			rendering an exception view outside of the context of the excview tween
			where you may need more control over the request.
			See https://github.com/Pylons/pyramid/pull/2393
			- (Deprecation) Support for Python 3.3 will be removed in Pyramid 1.8.
			https://github.com/Pylons/pyramid/issues/2477

			- Allow using variable substitutions like ``%(LOGGING_LOGGER_ROOT_LEVEL)s``
			for logging sections of the .ini file and populate these variables from
			the ``pserve`` command line -- e.g.:
			``pserve development.ini LOGGING_LOGGER_ROOT_LEVEL=DEBUG``
			See https://github.com/Pylons/pyramid/pull/2399
			- Python 2.6 is no longer supported by Pyramid. See
			https://github.com/Pylons/pyramid/issues/2368

			- Add a new "view deriver" concept to Pyramid to allow framework authors to
			inject elements into the standard Pyramid view pipeline and affect all
			views in an application. This is similar to a decorator except that it
			has access to options passed to ``config.add_view`` and can affect other
			stages of the pipeline such as the raw response from a view or prior to
			security checks. See https://github.com/Pylons/pyramid/pull/2021
			- Dropped Python 3.2 support.
			See https://github.com/Pylons/pyramid/pull/2256


			1.6 (2015-04-14)
			================

			@@ -120,9 +120,6 @@

			- 1.6: Remove IContextURL and TraversalContextURL.

			- 1.7: Change ``pyramid.authentication.AuthTktAuthenticationPolicy`` default
			``hashalg`` to ``sha512``.

			- 1.8: Remove set_request_property.
			- 1.8: Drop Python 3.3 support.

			@@ -5,7 +5,6 @@
			import base64
			import re
			import time as time_mod
			import warnings

			from zope.interface import implementer

			@@ -417,19 +416,10 @@
			be done somewhere else or in a subclass."""
			return []

			_marker = object()

			@implementer(IAuthenticationPolicy)
			class AuthTktAuthenticationPolicy(CallbackAuthenticationPolicy):
			"""A :app:`Pyramid` :term:`authentication policy` which
			obtains data from a Pyramid "auth ticket" cookie.

			.. warning::

			The default hash algorithm used in this policy is MD5 and has known
			hash collision vulnerabilities. The risk of an exploit is low.
			However, for improved authentication security, use
			``hashalg='sha512'``.

			Constructor Arguments

			@@ -552,7 +542,7 @@

			``hashalg``

			Default: ``md5`` (the literal string).
			Default: ``sha512`` (the literal string).

			Any hash algorithm supported by Python's ``hashlib.new()`` function
			can be used as the ``hashalg``.
			@@ -562,20 +552,9 @@
			``hashalg`` will imply that all existing users with a valid cookie will
			be required to re-login.

			A warning is emitted at startup if an explicit ``hashalg`` is not
			passed. This is for backwards compatibility reasons.

			This option is available as of :app:`Pyramid` 1.4.

			Optional.

			.. note::

			``md5`` is the default for backwards compatibility reasons. However,
			if you don't specify ``md5`` as the hashalg explicitly, a warning is
			issued at application startup time. An explicit value of ``sha512``
			is recommended for improved security, and ``sha512`` will become the
			default in a future Pyramid version.

			``debug``

			@@ -601,34 +580,10 @@
			http_only=False,
			wild_domain=True,
			debug=False,
			hashalg=_marker,
			hashalg='sha512',
			parent_domain=False,
			domain=None,
			):
			if hashalg is _marker:
			hashalg = 'md5'
			warnings.warn(
			'The MD5 hash function used by default by the '
			'AuthTktAuthenticationPolicy is known to be '
			'susceptible to collision attacks. It is the current default '
			'for backwards compatibility reasons, but we recommend that '
			'you use the SHA512 algorithm instead for improved security. '
			'Pass ``hashalg=\'sha512\'`` to the '
			'AuthTktAuthenticationPolicy constructor to do so.\n\nNote '
			'that a change to the hash algorithms will invalidate existing '
			'auth tkt cookies set by your application. If backwards '
			'compatibility of existing auth tkt cookies is of greater '
			'concern than the risk posed by the potential for a hash '
			'collision, you\'ll want to continue using MD5 explicitly. '
			'To do so, pass ``hashalg=\'md5\'`` in your application to '
			'the AuthTktAuthenticationPolicy constructor. When you do so '
			'this warning will not be emitted again. The default '
			'algorithm used in this policy will change in the future, so '
			'setting an explicit hashalg will futureproof your '
			'application.',
			DeprecationWarning,
			stacklevel=2
			)
			self.cookie = AuthTktCookieHelper(
			secret,
			cookie_name=cookie_name,