pass bytes for hashing (#38923)

2020-01-07 15:21:45 +01:00 · 2020-01-07 15:21:45 +01:00 · e195b4ea6d
parent 11481f476c
commit e195b4ea6d
4 changed files with 13 additions and 9 deletions
--- a/passerelle/contrib/planitech/models.py
+++ b/passerelle/contrib/planitech/models.py
@ -25,6 +25,7 @@ from django.core.cache import cache
 from django.db import models, transaction
 from django.utils import dateformat
 from django.utils import dateparse
+from django.utils.encoding import force_bytes
 from django.utils.six.moves.urllib import parse as urlparse
 from django.utils.translation import ugettext_lazy as _
 from jsonfield import JSONField
@ -203,7 +204,7 @@ def parse_time(time_str):


 def compute_hash(content, hardness, salt):
-    sha = hashlib.new('sha512', salt + content)
+    sha = hashlib.new('sha512', force_bytes(salt + content))
    for idx in range(hardness):
        sha = hashlib.new('sha512', sha.digest())
    return sha.hexdigest().upper()
--- a/passerelle/utils/init.py
+++ b/passerelle/utils/init.py
@ -31,6 +31,7 @@ from django.core.exceptions import PermissionDenied
 from django.http import HttpResponse, HttpResponseBadRequest
 from django.template import Template, Context
 from django.utils.decorators import available_attrs
+from django.utils.encoding import force_bytes
 from django.utils.six import StringIO
 from django.views.generic.detail import SingleObjectMixin
 from django.contrib.contenttypes.models import ContentType
@ -240,7 +241,7 @@ class Request(RequestSession):
                    kwargs['proxies'] = {'http': proxy, 'https': proxy}

        if method == 'GET' and cache_duration:
-            cache_key = hashlib.md5('%r;%r' % (url, kwargs)).hexdigest()
+            cache_key = hashlib.md5(force_bytes('%r;%r' % (url, kwargs))).hexdigest()
            cache_content = cache.get(cache_key)
            if cache_content and not invalidate_cache:
                response = RequestResponse()
--- a/passerelle/utils/http_authenticators.py
+++ b/passerelle/utils/http_authenticators.py
@ -21,6 +21,7 @@ import time

 from uuid import uuid4

+from django.utils.encoding import force_bytes
 from django.utils.six.moves.urllib import parse as urlparse
 from requests.auth import AuthBase

@ -37,10 +38,10 @@ class HawkAuth(AuthBase):

    def get_payload_hash(self, req):
        p_hash = hashlib.new(self.algorithm)
-        p_hash.update('hawk.1.payload\n')
-        p_hash.update(req.headers.get('Content-Type', '') + '\n')
-        p_hash.update(req.body or '')
-        p_hash.update('\n')
+        p_hash.update(force_bytes('hawk.1.payload\n'))
+        p_hash.update(force_bytes(req.headers.get('Content-Type', '') + '\n'))
+        p_hash.update(force_bytes(req.body or ''))
+        p_hash.update(force_bytes('\n'))
        return base64.b64encode(p_hash.digest())

    def get_authorization_header(self, req):
@ -57,7 +58,7 @@ class HawkAuth(AuthBase):
        data = ['hawk.1.header', self.timestamp, self.nonce, req.method.upper(), uri,
                url_parts.hostname, port, hash, self.ext, '']
        digestmod = getattr(hashlib, self.algorithm)
-        result = hmac.new(self.key, '\n'.join(data), digestmod)
+        result = hmac.new(force_bytes(self.key), force_bytes('\n'.join(data)), digestmod)
        mac = base64.b64encode(result.digest())
        authorization = 'Hawk id="%s", ts="%s", nonce="%s", hash="%s", mac="%s"'% (self.id, self.timestamp, self.nonce,
                                                    hash, mac)
--- a/passerelle/views.py
+++ b/passerelle/views.py
@ -37,7 +37,7 @@ from django.shortcuts import resolve_url
 from django.core.urlresolvers import reverse
 from django.utils.timezone import make_aware
 from django.utils.translation import ugettext_lazy as _
-from django.utils.encoding import force_text
+from django.utils.encoding import force_bytes, force_text
 from django.forms.models import modelform_factory
 from django.forms.widgets import ClearableFileInput
 from django.utils.six.moves.urllib.parse import quote
@ -450,7 +450,8 @@ class GenericEndpointView(GenericConnectorMixin, SingleObjectMixin, View):
        params = self.get_params(request, *args, **kwargs)
        if request.method == 'GET' and self.endpoint.endpoint_info.cache_duration:
            cache_key = hashlib.md5(
-                repr(self.get_object().slug) + repr(self.endpoint) + repr(params)).hexdigest()
+                force_bytes(repr(self.get_object().slug) + repr(self.endpoint) + repr(params))
+            ).hexdigest()
            result = cache.get(cache_key)
            if result is not None:
                return result