Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Added fallback signers and switch back to sha1 #113

Merged
merged 8 commits into from
Oct 26, 2018
Merged

Added fallback signers and switch back to sha1 #113

merged 8 commits into from
Oct 26, 2018

Conversation

mitsuhiko
Copy link
Contributor

@mitsuhiko mitsuhiko commented Oct 26, 2018
edited
Loading

This rolls back the signing algorithm to HMAC-SHA1 by default and it
adds support for fallback signers. This way a future version of itsdangerous
could rotate to a different algorithm without discarding everything else.

The fallbacks are just supported for the normal serializers.

Refs #112 #111

@mitsuhiko mitsuhiko requested a review from davidism October 26, 2018 20:48
@mitsuhiko mitsuhiko merged commit af4856a into master Oct 26, 2018
@ThiefMaster
Copy link
Member

Do we support SHA1 and SHA512 in 1.1? If 1.1 cannot deserialize data from 1.0, the release should probably be 2.0.

@mitsuhiko
Copy link
Contributor Author

I can make the default config support SHA-512.

@mitsuhiko mitsuhiko deleted the feature/sha1 branch October 26, 2018 22:49
netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this pull request Nov 10, 2018
@kleink
Update py-itsdangerous to 1.1.0.
8dba0d6 
Version 1.1.0
-------------

Released 2018-10-26

-   Change default signing algorithm back to SHA-1. (`#113`_)
-   Added a default SHA-512 fallback for users who used the yanked 1.0.0
    release which defaulted to SHA-512. (`#114`_)
-   Add support for fallback algorithms during deserialization to
    support changing the default in the future without breaking existing
    signatures. (`#113`_)
-   Changed capitalization of packages back to lowercase as the change
    in capitalization broke some tooling. (`#113`_)

.. _#113: pallets/itsdangerous#113
.. _#114: pallets/itsdangerous#114


Version 1.0.0
-------------

Released 2018-10-18

YANKED

*Note*: This release was yanked from PyPI because it changed the default
algorithm to SHA-512. This decision was reverted in 1.1.0 and it remains
at SHA1.

-   Drop support for Python 2.6 and 3.3.
-   Refactor code from a single module to a package. Any object in the
    API docs is still importable from the top-level ``itsdangerous``
    name, but other imports will need to be changed. A future release
    will remove many of these compatibility imports. (`#107`_)
-   Optimize how timestamps are serialized and deserialized. (`#13`_)
-   ``base64_decode`` raises ``BadData`` when it is passed invalid data.
    (`#27`_)
-   Ensure value is bytes when signing to avoid a ``TypeError`` on
    Python 3. (`#29`_)
-   Add a ``serializer_kwargs`` argument to ``Serializer``, which is
    passed to ``dumps`` during ``dump_payload``. (`#36`_)
-   More compact JSON dumps for unicode strings. (`#38`_)
-   Use the full timestamp rather than an offset, allowing dates before
    2011. (`#46`_)
-   Detect a ``sep`` character that may show up in the signature itself
    and raise a ``ValueError``. (`#62`_)
-   Use a consistent signature for keyword arguments for
    ``Serializer.load_payload`` in subclasses. (`#74`_, `#75`_)
-   Change default intermediate hash from SHA-1 to SHA-512. (`#80`_)
-   Convert JWS exp header to an int when loading. (`#99`_)

.. _#13: pallets/itsdangerous#13
.. _#27: pallets/itsdangerous#27
.. _#29: pallets/itsdangerous#29
.. _#36: pallets/itsdangerous#36
.. _#38: pallets/itsdangerous#38
.. _#46: pallets/itsdangerous#46
.. _#62: pallets/itsdangerous#62
.. _#74: pallets/itsdangerous#74
.. _#75: pallets/itsdangerous#75
.. _#80: pallets/itsdangerous#80
.. _#99: pallets/itsdangerous#99
.. _#107: pallets/itsdangerous#107
@davidism davidism mentioned this pull request Apr 4, 2020
Closed
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 9, 2021
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Reviewers

@ThiefMaster ThiefMaster ThiefMaster left review comments

@davidism davidism Awaiting requested review from davidism

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mitsuhiko @ThiefMaster