From 48ff898685826a5c37e1914d05ad59408b267528 Mon Sep 17 00:00:00 2001 From: Andres Mejia Date: Sat, 29 Oct 2016 14:43:31 -0400 Subject: [PATCH] Fix issue that occurs when using bytes as secret key. The Django secret key can and should be random bytes which may or may not be decodable to UTF-8. --- debug_toolbar/panels/sql/forms.py | 12 +++++------- tests/settings.py | 2 +- 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/debug_toolbar/panels/sql/forms.py b/debug_toolbar/panels/sql/forms.py index e64e7b4fb..a4e622f51 100644 --- a/debug_toolbar/panels/sql/forms.py +++ b/debug_toolbar/panels/sql/forms.py @@ -9,7 +9,7 @@ from django.core.exceptions import ValidationError from django.db import connections from django.utils.crypto import constant_time_compare -from django.utils.encoding import force_text +from django.utils.encoding import force_bytes from django.utils.functional import cached_property from debug_toolbar.panels.sql.utils import reformat_sql @@ -79,12 +79,10 @@ def reformat_sql(self): return reformat_sql(self.cleaned_data['sql']) def make_hash(self, data): - items = [data['sql'], data['params']] - # Replace lines endings with spaces to preserve the hash value - # even when the browser normalizes \r\n to \n in inputs. - items = [' '.join(force_text(item).splitlines()) for item in items] - return hmac.new(settings.SECRET_KEY.encode('utf-8'), - ''.join(items).encode('utf-8'), hashlib.sha1).hexdigest() + m = hmac.new(key=force_bytes(settings.SECRET_KEY), digestmod=hashlib.sha1) + for item in [data['sql'], data['params']]: + m.update(force_bytes(item)) + return m.hexdigest() @property def connection(self): diff --git a/tests/settings.py b/tests/settings.py index 77272c106..bfcbf1c2e 100644 --- a/tests/settings.py +++ b/tests/settings.py @@ -7,7 +7,7 @@ # Quick-start development settings - unsuitable for production -SECRET_KEY = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890' +SECRET_KEY = bytes(bytearray([i for i in range(256)])) INTERNAL_IPS = ['127.0.0.1']