diff options
| author | Ade Lee <alee@redhat.com> | 2021-08-10 18:13:54 -0400 |
|---|---|---|
| committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2021-10-12 08:58:27 +0200 |
| commit | d10c7bfe56f025ccc690721c9f13e7029b777b9c (patch) | |
| tree | 0f3cab5666f8cd69c99f3b91822e2f28b8dcf609 /django/utils/cache.py | |
| parent | b1b26b37aff0c80d6abdf15c5ffdf0440a9a1d6a (diff) | |
| download | django-d10c7bfe56f025ccc690721c9f13e7029b777b9c.tar.gz | |
Fixed #28401 -- Allowed hashlib.md5() calls to work with FIPS kernels.
md5 is not an approved algorithm in FIPS mode, and trying to instantiate
a hashlib.md5() will fail when the system is running in FIPS mode.
md5 is allowed when in a non-security context. There is a plan to add a
keyword parameter (usedforsecurity) to hashlib.md5() to annotate whether
or not the instance is being used in a security context.
In the case where it is not, the instantiation of md5 will be allowed.
See https://bugs.python.org/issue9216 for more details.
Some downstream python versions already support this parameter. To
support these versions, a new encapsulation of md5() has been added.
This encapsulation will pass through the usedforsecurity parameter in
the case where the parameter is supported, and strip it if it is not.
Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
Diffstat (limited to 'django/utils/cache.py')
| -rw-r--r-- | django/utils/cache.py | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/django/utils/cache.py b/django/utils/cache.py index bb756fe60c..c0e47e0e42 100644 --- a/django/utils/cache.py +++ b/django/utils/cache.py @@ -16,13 +16,13 @@ cache keys to prevent delivery of wrong content. An example: i18n middleware would need to distinguish caches by the "Accept-language" header. """ -import hashlib import time from collections import defaultdict from django.conf import settings from django.core.cache import caches from django.http import HttpResponse, HttpResponseNotModified +from django.utils.crypto import md5 from django.utils.http import ( http_date, parse_etags, parse_http_date_safe, quote_etag, ) @@ -118,7 +118,9 @@ def get_max_age(response): def set_response_etag(response): if not response.streaming and response.content: - response.headers['ETag'] = quote_etag(hashlib.md5(response.content).hexdigest()) + response.headers['ETag'] = quote_etag( + md5(response.content, usedforsecurity=False).hexdigest(), + ) return response @@ -325,12 +327,12 @@ def _i18n_cache_key_suffix(request, cache_key): def _generate_cache_key(request, method, headerlist, key_prefix): """Return a cache key from the headers given in the header list.""" - ctx = hashlib.md5() + ctx = md5(usedforsecurity=False) for header in headerlist: value = request.META.get(header) if value is not None: ctx.update(value.encode()) - url = hashlib.md5(request.build_absolute_uri().encode('ascii')) + url = md5(request.build_absolute_uri().encode('ascii'), usedforsecurity=False) cache_key = 'views.decorators.cache.cache_page.%s.%s.%s.%s' % ( key_prefix, method, url.hexdigest(), ctx.hexdigest()) return _i18n_cache_key_suffix(request, cache_key) @@ -338,7 +340,7 @@ def _generate_cache_key(request, method, headerlist, key_prefix): def _generate_cache_header_key(key_prefix, request): """Return a cache key for the header cache.""" - url = hashlib.md5(request.build_absolute_uri().encode('ascii')) + url = md5(request.build_absolute_uri().encode('ascii'), usedforsecurity=False) cache_key = 'views.decorators.cache.cache_header.%s.%s' % ( key_prefix, url.hexdigest()) return _i18n_cache_key_suffix(request, cache_key) |