Fix issue that occurs when using bytes as secret key.

The Django secret key can and should be random bytes which may or may
not be decodable to UTF-8.

Author: Andres Mejia

debug_toolbar/panels/sql/forms.py

@@ -9,7 +9,7 @@
 from django.core.exceptions import ValidationError
 from django.db import connections
 from django.utils.crypto import constant_time_compare
-from django.utils.encoding import force_text
+from django.utils.encoding import force_bytes
 from django.utils.functional import cached_property
 
 from debug_toolbar.panels.sql.utils import reformat_sql
@@ -79,12 +79,10 @@ def reformat_sql(self):
         return reformat_sql(self.cleaned_data['sql'])
 
     def make_hash(self, data):
-        items = [data['sql'], data['params']]
-        # Replace lines endings with spaces to preserve the hash value
-        # even when the browser normalizes \r\n to \n in inputs.
-        items = [' '.join(force_text(item).splitlines()) for item in items]
-        return hmac.new(settings.SECRET_KEY.encode('utf-8'),
-                        ''.join(items).encode('utf-8'), hashlib.sha1).hexdigest()
+        m = hmac.new(key=force_bytes(settings.SECRET_KEY), digestmod=hashlib.sha1)
+        for item in [data['sql'], data['params']]:
+            m.update(force_bytes(item))
+        return m.hexdigest()
 
     @property
     def connection(self):

tests/settings.py

@@ -7,7 +7,7 @@
 
 # Quick-start development settings - unsuitable for production
 
-SECRET_KEY = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890'
+SECRET_KEY = bytes(bytearray([i for i in range(256)]))
 
 INTERNAL_IPS = ['127.0.0.1']