Re: [Django] #34804: legacy_algorithm = 'sha1' removed in django4.0 but new algorithm is hardcoded

[Django]

#34804: legacy_algorithm = 'sha1' removed in django4.0 but new algorithm is
hardcoded
-------------------------------------+-------------------------------------
Reporter: Awais Qureshi | Owner: nobody
Type: | Status: new
Cleanup/optimization |
Component: Core (Other) | Version: 4.2
Severity: Normal | Resolution:
Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Description changed by Awais Qureshi:

Old description:

> I am trying to upgrade from django32 to 42 and facing an issue in
> https://github.com/django/django/blob/3.2/django/core/signing.py#L124
>
> in django32 it is like this
>
> # RemovedInDjango40Warning.
> legacy_algorithm = 'sha1'
>
> and in __init__ method it picks the value like this
> `self.algorithm = algorithm or settings.DEFAULT_HASHING_ALGORITHM`
>
> In django42
> https://github.com/django/django/blob/4.2.4/django/core/signing.py#L204
>
> algorithm getting value like this
>
> self.algorithm = algorithm or "sha256" ( its a hardcoded value and can be
> pick via settings)
>
> So here is my code I am using dump method to `signing.dumps(data_to_sign,
> salt=self.key_salt)` and it furthers call the `TimestampSigner` So I am
> not able to find any way to pass the `sha1` which is my current prod
> setting.
>
> Last option for me is to override the class.
>
> Proposed solution is like previous one in __init__ method it picks the
> value like this
>
> `self.algorithm = algorithm or settings.DEFAULT_HASHING_ALGORITHM`

New description:

I am trying to upgrade from django32 to 42 and facing an issue in
https://github.com/django/django/blob/3.2/django/core/signing.py#L124

in django32 it is like this

# RemovedInDjango40Warning.
legacy_algorithm = 'sha1'

and in __init__ method it picks the value like this
`self.algorithm = algorithm or settings.DEFAULT_HASHING_ALGORITHM`

In django42
https://github.com/django/django/blob/4.2.4/django/core/signing.py#L204

algorithm getting value like this

self.algorithm = algorithm or "sha256" ( its a hardcoded value and can be
pick via settings)

So here is my code I am using dump method to `signing.dumps(data_to_sign,
salt=self.key_salt)` and it furthers call the `TimestampSigner` So I am
not able to find any way to pass the `sha1` which is my current prod
setting.

Last option for me is to override the class.

since `DEFAULT_HASHING_ALGORITHM` is removed. So may be pass param from
dumps.

--

--
Ticket URL: <https://code.djangoproject.com/ticket/34804#comment:2>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

[Django]

#34804: legacy_algorithm = 'sha1' removed in django4.0 but new algorithm is
hardcoded
-------------------------------------+-------------------------------------
Reporter: Awais Qureshi | Owner: nobody

Type: | Status: closed

Cleanup/optimization |
Component: Core (Other) | Version: 4.2

Severity: Normal | Resolution: invalid

Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Changes (by Mariusz Felisiak):

* status: new => closed
* resolution: => invalid

Comment:

`signing.dumps()` uses the default `Singer` algorithm, i.e. `SHA256` (as
documented). I'm not sure why you want to force unsafe `SHA1`, but you can
do this by using `TimestampSigner(algorithm="sha1")` in your code.

--
Ticket URL: <https://code.djangoproject.com/ticket/34804#comment:3>