python3: encode unicode-objects before hashing (#40570)

This commit is contained in:
Nicolas Roche 2020-03-10 11:13:22 +01:00
parent 3214b296bc
commit f987c27631
4 changed files with 18 additions and 14 deletions

View File

@ -24,7 +24,7 @@ import psycopg2
from django.core.cache import cache
from django.conf import settings
from django.utils.encoding import force_text
from django.utils.encoding import force_bytes, force_text
from django.utils.translation import ugettext_lazy as _
from . import schemas
@ -132,7 +132,8 @@ class EngineDimension(object):
return getattr(self.dimension, name)
def cache_key(self, filters):
return hashlib.md5(self.engine.path + self.engine_cube.name + self.name + repr(filters)).hexdigest()
key = self.engine.path + self.engine_cube.name + self.name + repr(filters)
return hashlib.md5(force_bytes(key)).hexdigest()
def members(self, filters=()):
assert self.type != 'date'
@ -244,8 +245,9 @@ class EngineJSONDimension(EngineDimension):
self.dimension = SchemaJSONDimension(self.engine_cube.json_field, name)
def cache_key(self, filters):
return hashlib.md5(self.engine.path + self.engine_cube.json_field
+ self.engine_cube.name + self.name + repr(filters)).hexdigest()
key = (self.engine.path + self.engine_cube.json_field
+ self.engine_cube.name + self.name + repr(filters))
return hashlib.md5(force_bytes(key)).hexdigest()
def to_json(self):
return {

View File

@ -22,6 +22,7 @@ import urllib
import random
import logging
from django.utils.encoding import force_bytes, smart_bytes
from django.utils.six.moves.urllib import parse as urlparse
@ -55,9 +56,7 @@ def sign_query(query, key, algo='sha256', timestamp=None, nonce=None):
def sign_string(s, key, algo='sha256', timedelta=30):
digestmod = getattr(hashlib, algo)
if isinstance(key, unicode):
key = key.encode('utf-8')
hash = hmac.HMAC(key, digestmod=digestmod, msg=s)
hash = hmac.HMAC(smart_bytes(key), digestmod=digestmod, msg=smart_bytes(s))
return hash.digest()
@ -69,7 +68,7 @@ def check_url(url, key, known_nonce=None, timedelta=30):
def check_query(query, key, known_nonce=None, timedelta=30):
res, error = check_query2(query, key, known_nonce=known_nonce, timedelta=timedelta)
if not res:
key_hash = 'md5:%s' % hashlib.md5(key).hexdigest()[:6]
key_hash = 'md5:%s' % hashlib.md5(force_bytes(key)).hexdigest()[:6]
logging.getLogger(__name__).warning(
'could not check signature of query %r with key %s: %s', query, key_hash, error)
return res

View File

@ -25,7 +25,7 @@ import copy
import collections
from django.core.cache import cache
from django.utils.encoding import force_text
from django.utils.encoding import force_bytes, force_text
from django.utils.safestring import mark_safe
from django.utils.translation import ugettext_lazy as _
from django.http import Http404
@ -151,7 +151,7 @@ class Visualization(object):
keys += [dim.name for dim in self.drilldown]
keys += [self.measure.name]
key = '$'.join(v.encode('utf8') for v in keys)
return hashlib.md5(key).hexdigest()
return hashlib.md5(force_bytes(key)).hexdigest()
def data(self):
'''Execute aggregation query, list members and check None values in

View File

@ -21,7 +21,7 @@ import json
from django.conf import settings
from django.contrib import messages
from django.utils.encoding import force_text
from django.utils.encoding import force_bytes, force_text
from django.utils.text import slugify
from django.utils.translation import ungettext, ugettext as _
from django.views.generic.edit import CreateView, DeleteView, UpdateView, FormView
@ -175,7 +175,8 @@ class VisualizationView(views.AuthorizationMixin, CubeDisplayMixin, DetailView):
initial['filter__%s' % key] = value
ctx['form'] = forms.CubeForm(cube=self.cube, initial=initial)
path = reverse('visualization-iframe', args=self.args, kwargs=self.kwargs)
signature = hashlib.sha1(path + settings.SECRET_KEY).hexdigest()
signature = path + settings.SECRET_KEY
signature = hashlib.sha1(force_bytes(signature)).hexdigest()
path += '?signature=' + signature
ctx['iframe_url'] = path
return ctx
@ -186,7 +187,8 @@ class SignatureAuthorizationMixin(views.AuthorizationMixin):
if request.user.is_authenticated() and request.user.is_superuser:
return True
if 'signature' in request.GET:
signature = hashlib.sha1(request.path + settings.SECRET_KEY).hexdigest()
signature = request.path + settings.SECRET_KEY
signature = hashlib.sha1(force_bytes(signature)).hexdigest()
if request.GET['signature'] == signature:
return True
return False
@ -241,7 +243,8 @@ class VisualizationsJSONView(MultipleObjectMixin, View):
data = []
for visualization in self.get_queryset():
path = reverse('visualization-iframe', kwargs={'pk': visualization.pk})
sig = hashlib.sha1(path + settings.SECRET_KEY).hexdigest()
sig = path + settings.SECRET_KEY
sig = hashlib.sha1(force_bytes(sig)).hexdigest()
path += '?signature=' + sig
data_uri = reverse('visualization-json', kwargs={'pk': visualization.pk})
data.append({