From f987c27631dc8bbdeae1460338284892044d108c Mon Sep 17 00:00:00 2001 From: Nicolas ROCHE Date: Tue, 10 Mar 2020 11:13:22 +0100 Subject: [PATCH] python3: encode unicode-objects before hashing (#40570) --- bijoe/engine.py | 10 ++++++---- bijoe/visualization/signature.py | 7 +++---- bijoe/visualization/utils.py | 4 ++-- bijoe/visualization/views.py | 11 +++++++---- 4 files changed, 18 insertions(+), 14 deletions(-) diff --git a/bijoe/engine.py b/bijoe/engine.py index f83c599..fe0d89f 100644 --- a/bijoe/engine.py +++ b/bijoe/engine.py @@ -24,7 +24,7 @@ import psycopg2 from django.core.cache import cache from django.conf import settings -from django.utils.encoding import force_text +from django.utils.encoding import force_bytes, force_text from django.utils.translation import ugettext_lazy as _ from . import schemas @@ -132,7 +132,8 @@ class EngineDimension(object): return getattr(self.dimension, name) def cache_key(self, filters): - return hashlib.md5(self.engine.path + self.engine_cube.name + self.name + repr(filters)).hexdigest() + key = self.engine.path + self.engine_cube.name + self.name + repr(filters) + return hashlib.md5(force_bytes(key)).hexdigest() def members(self, filters=()): assert self.type != 'date' @@ -244,8 +245,9 @@ class EngineJSONDimension(EngineDimension): self.dimension = SchemaJSONDimension(self.engine_cube.json_field, name) def cache_key(self, filters): - return hashlib.md5(self.engine.path + self.engine_cube.json_field - + self.engine_cube.name + self.name + repr(filters)).hexdigest() + key = (self.engine.path + self.engine_cube.json_field + + self.engine_cube.name + self.name + repr(filters)) + return hashlib.md5(force_bytes(key)).hexdigest() def to_json(self): return { diff --git a/bijoe/visualization/signature.py b/bijoe/visualization/signature.py index 659ee8f..7b3245b 100644 --- a/bijoe/visualization/signature.py +++ b/bijoe/visualization/signature.py @@ -22,6 +22,7 @@ import urllib import random import logging +from django.utils.encoding import force_bytes, smart_bytes from django.utils.six.moves.urllib import parse as urlparse @@ -55,9 +56,7 @@ def sign_query(query, key, algo='sha256', timestamp=None, nonce=None): def sign_string(s, key, algo='sha256', timedelta=30): digestmod = getattr(hashlib, algo) - if isinstance(key, unicode): - key = key.encode('utf-8') - hash = hmac.HMAC(key, digestmod=digestmod, msg=s) + hash = hmac.HMAC(smart_bytes(key), digestmod=digestmod, msg=smart_bytes(s)) return hash.digest() @@ -69,7 +68,7 @@ def check_url(url, key, known_nonce=None, timedelta=30): def check_query(query, key, known_nonce=None, timedelta=30): res, error = check_query2(query, key, known_nonce=known_nonce, timedelta=timedelta) if not res: - key_hash = 'md5:%s' % hashlib.md5(key).hexdigest()[:6] + key_hash = 'md5:%s' % hashlib.md5(force_bytes(key)).hexdigest()[:6] logging.getLogger(__name__).warning( 'could not check signature of query %r with key %s: %s', query, key_hash, error) return res diff --git a/bijoe/visualization/utils.py b/bijoe/visualization/utils.py index a08d457..f206cdc 100644 --- a/bijoe/visualization/utils.py +++ b/bijoe/visualization/utils.py @@ -25,7 +25,7 @@ import copy import collections from django.core.cache import cache -from django.utils.encoding import force_text +from django.utils.encoding import force_bytes, force_text from django.utils.safestring import mark_safe from django.utils.translation import ugettext_lazy as _ from django.http import Http404 @@ -151,7 +151,7 @@ class Visualization(object): keys += [dim.name for dim in self.drilldown] keys += [self.measure.name] key = '$'.join(v.encode('utf8') for v in keys) - return hashlib.md5(key).hexdigest() + return hashlib.md5(force_bytes(key)).hexdigest() def data(self): '''Execute aggregation query, list members and check None values in diff --git a/bijoe/visualization/views.py b/bijoe/visualization/views.py index 79c3b67..d34dfa2 100644 --- a/bijoe/visualization/views.py +++ b/bijoe/visualization/views.py @@ -21,7 +21,7 @@ import json from django.conf import settings from django.contrib import messages -from django.utils.encoding import force_text +from django.utils.encoding import force_bytes, force_text from django.utils.text import slugify from django.utils.translation import ungettext, ugettext as _ from django.views.generic.edit import CreateView, DeleteView, UpdateView, FormView @@ -175,7 +175,8 @@ class VisualizationView(views.AuthorizationMixin, CubeDisplayMixin, DetailView): initial['filter__%s' % key] = value ctx['form'] = forms.CubeForm(cube=self.cube, initial=initial) path = reverse('visualization-iframe', args=self.args, kwargs=self.kwargs) - signature = hashlib.sha1(path + settings.SECRET_KEY).hexdigest() + signature = path + settings.SECRET_KEY + signature = hashlib.sha1(force_bytes(signature)).hexdigest() path += '?signature=' + signature ctx['iframe_url'] = path return ctx @@ -186,7 +187,8 @@ class SignatureAuthorizationMixin(views.AuthorizationMixin): if request.user.is_authenticated() and request.user.is_superuser: return True if 'signature' in request.GET: - signature = hashlib.sha1(request.path + settings.SECRET_KEY).hexdigest() + signature = request.path + settings.SECRET_KEY + signature = hashlib.sha1(force_bytes(signature)).hexdigest() if request.GET['signature'] == signature: return True return False @@ -241,7 +243,8 @@ class VisualizationsJSONView(MultipleObjectMixin, View): data = [] for visualization in self.get_queryset(): path = reverse('visualization-iframe', kwargs={'pk': visualization.pk}) - sig = hashlib.sha1(path + settings.SECRET_KEY).hexdigest() + sig = path + settings.SECRET_KEY + sig = hashlib.sha1(force_bytes(sig)).hexdigest() path += '?signature=' + sig data_uri = reverse('visualization-json', kwargs={'pk': visualization.pk}) data.append({