Home Explore Help
Sign In
221V
/
Misago
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: f23e09c835
Branches Tags
Misago
/
misago
/
markup
/
checksums.py

checksums.py 1.3 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536 
  1. """
    2. 

  2. Misago saves parsed strings in database.
    3. 

  3. 

  4. Those strings are "trusted" and contain HTML that is rendered by templates
    5. 

  5. without additional sanitization step.
    6. 

  6. 

  7. While this greatly improves speed, it also means that SQLInjections may
    8. 

  8. escalate to Code Injection vulnerabilities.
    9. 

  9. 

  10. Because of this you should use this module to generate checksum for each model
    11. 

  11. that contains parsed strings. Each checksum should be generated from markup as
    12. 

  12. well as additional unique values that are specific for that model, like its PK,
    13. 

  13. post date, etc ect.
    14. 

  14. 

  15. That way even if few items will contain the same content, they will have
    16. 

  16. different checksums, and as long as attacker has no access to filesystem,
    17. 

  17. he'll wont know SECRET_KEY and thus won't be able to generate valid checksums
    18. 

  18. for injected content
    19. 

  19. 

  20. Because SHA256 is used for checksum generation, make sure you are storing them
    21. 

  21. in char fields with max_length=64
    22. 

  22. """
    23. 

  23. from hashlib import sha256
    24. 

  24. 

  25. from django.utils import six
    26. 

  26. 

  27. 

  28. def make_checksum(parsed, unique_values=None):
    29. 

  29.     unique_values = unique_values or []
    30. 

  30.     seeds = [parsed] + [six.text_type(v) for v in unique_values]
    31. 

  31. 

  32.     return sha256('+'.join(seeds).encode("utf-8")).hexdigest()
    33. 

  33. 

  34. 

  35. def is_checksum_valid(parsed, checksum, unique_values=None):
    36. 

  36.     return checksum == make_checksum(parsed, unique_values)
    37.