forked from dcramer/django-compositepks
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathREADME.sec
21 lines (13 loc) · 1.21 KB
/
README.sec
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
This is the README for the team making security updates to django.
TODO:
Sat Sep 10 16:44:14 PDT 2011
[Done] We are moving /splitting our work [HashToken, RandomToken, etc.]
out of django/utils/crypto.py into django/utils/tokens.py
[Done] We also need to have the funtionality of contrib/auth/tokens.py in django/utils/tokens.py (eventually, we can move this out of contrib...)
[ ] We also need to have the funtionality of contrib/auth/utils.py in django/utils/crypto.py (?), but there are multiple password encodings (eventually, we can move this out of contrib...)
[Done] Do we need to do anything with django/utils/hashcompat.py ? (e.g. change the warning message to ref. tokens.py?)
- Essentially, Justine (github.com/jart/django) already solved this; just merge her work when we're all done.
[ ] I assume we want to leave django/utils/crypto alone, not using new django/utils/token - maybe not;
UPDATE: Opinion: I may try using sha256 from within here too, once other areas are sorted out - and using alphanumeric(),
rather than hexdigest() whereever it is called. If length is (anywhere) an issue, we'll deal with that just as for session keys,
that is, 20-bits less than the hexdigest returns.