From: Jeremy Cline Date: Wed, 9 Oct 2019 19:03:45 +0000 (-0400) Subject: Use secrets and fall back to random.SystemRandom for keys X-Git-Tag: v2.2.0-rc1~53 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bb7626b2f257852f426723de551418753e3dd692;p=thirdparty%2Fpatchwork.git Use secrets and fall back to random.SystemRandom for keys The random module uses the Mersenne Twister pseudorandom number generator and is not a cryptographically secure random number generator[0]. The secrets[1] module is intended for generating cryptographically strong random numbers, so recommend using that to generate the secret key. It's new in Python 3, so if it's unavailable fall back to using the ``os.urandom()`` backed implementation of random. NOTE(stephenfin): Modified to include change to 'config.yaml'. Also renamed reno to just stick with hyphens for filenames. [0] https://docs.python.org/3/library/random.html [1] https://docs.python.org/3/library/secrets.html Signed-off-by: Jeremy Cline Signed-off-by: Stephen Finucane --- diff --git a/docs/deployment/installation.rst b/docs/deployment/installation.rst index d422573d..f477a110 100644 --- a/docs/deployment/installation.rst +++ b/docs/deployment/installation.rst @@ -254,9 +254,15 @@ This should be a random value and kept secret. You can generate and a value for .. code-block:: python - import string, random + import string + try: + import secrets + except ImportError: # Python < 3.6 + import random + secrets = random.SystemRandom() + chars = string.ascii_letters + string.digits + string.punctuation - print(repr("".join([random.choice(chars) for i in range(0,50)]))) + print("".join([secrets.choice(chars) for i in range(50)])) Once again, store this in ``production.py``. diff --git a/patchwork/settings/production.example.py b/patchwork/settings/production.example.py index c6aa2f28..80585374 100644 --- a/patchwork/settings/production.example.py +++ b/patchwork/settings/production.example.py @@ -21,9 +21,15 @@ from .base import * # noqa # You'll need to replace this to a random string. The following python code can # be used to generate a secret key: # -# import string, random -# chars = string.letters + string.digits + string.punctuation -# print repr("".join([random.choice(chars) for i in range(0,50)])) +# import string +# try: +# import secrets +# except ImportError: # Python < 3.6 +# import random +# secrets = random.SystemRandom() +# +# chars = string.ascii_letters + string.digits + string.punctuation +# print("".join([secrets.choice(chars) for i in range(50)])) SECRET_KEY = os.environ['DJANGO_SECRET_KEY'] diff --git a/releasenotes/config.yaml b/releasenotes/config.yaml index cd319406..bb6f2151 100644 --- a/releasenotes/config.yaml +++ b/releasenotes/config.yaml @@ -10,4 +10,5 @@ sections: - [deprecations, Deprecation Notes] - [fixes, Bug Fixes] - [api, API Changes] + - [security, Security Notes] - [other, Other Notes] diff --git a/releasenotes/notes/use-secrets-and-fall-back-to-random-SystemRandom-for-keys-9ceb496919a1bb6f.yaml b/releasenotes/notes/use-secrets-and-fall-back-to-random-SystemRandom-for-keys-9ceb496919a1bb6f.yaml new file mode 100644 index 00000000..7b101cbe --- /dev/null +++ b/releasenotes/notes/use-secrets-and-fall-back-to-random-SystemRandom-for-keys-9ceb496919a1bb6f.yaml @@ -0,0 +1,5 @@ +--- +security: + - | + Change the recommended method for generating the Django secret key to use a + cryptographically secure random number generator.