From 119d7768bf3acbcebb0104a565fcbdbd336eb141 Mon Sep 17 00:00:00 2001 From: Brian Wilson Date: Mon, 2 Jun 2014 12:31:44 -0400 Subject: [PATCH] Also use md5 for constructing key for hmac. --- common/djangoapps/track/middleware.py | 10 +++++----- common/djangoapps/track/tests/test_middleware.py | 1 + 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/common/djangoapps/track/middleware.py b/common/djangoapps/track/middleware.py index 2f7e9eb80b..01be004d43 100644 --- a/common/djangoapps/track/middleware.py +++ b/common/djangoapps/track/middleware.py @@ -125,12 +125,12 @@ class TrackMiddleware(object): return '' # Follow the model of django.utils.crypto.salted_hmac() and - # django.contrib.sessions.backends.base._hash(), but use MD5 - # so that the result has the same length (32) as the original - # session_key. + # django.contrib.sessions.backends.base._hash() but use MD5 + # instead of SHA1 so that the result has the same length (32) + # as the original session_key. key_salt = "common.djangoapps.track" + self.__class__.__name__ - key = hashlib.sha1(key_salt + settings.SECRET_KEY).digest() - encrypted_session_key = hmac.new(key, msg=session_key).hexdigest() + key = hashlib.md5(key_salt + settings.SECRET_KEY).digest() + encrypted_session_key = hmac.new(key, msg=session_key, digestmod=hashlib.md5).hexdigest() return encrypted_session_key def get_user_primary_key(self, request): diff --git a/common/djangoapps/track/tests/test_middleware.py b/common/djangoapps/track/tests/test_middleware.py index 3c9a43b181..2c1afb4ee5 100644 --- a/common/djangoapps/track/tests/test_middleware.py +++ b/common/djangoapps/track/tests/test_middleware.py @@ -118,6 +118,7 @@ class TrackMiddlewareTestCase(TestCase): request.session.save() session_key = request.session.session_key expected_session_key = self.track_middleware.encrypt_session_key(session_key) + self.assertEquals(len(session_key), len(expected_session_key)) context = self.get_context_for_request(request) self.assert_dict_subset(context, { 'session': expected_session_key,