If changing ConditionalGetMiddleware to use SHA-256 It also might be a good to change it on FileBasedCache, _generate_cache_key, and generate_cache_header_key too Also, _generate_cache_key is just blindly concatenating hashes, so ['foo', 'bar'] is equal to ['fo', 'obar'], I don't know it might be a problem, but it just doesn't looks right
On Thu, Sep 10, 2020 at 10:14 PM Taymon A. Beal <taymonb...@gmail.com> wrote: > That attack doesn't work with the recommended production setup because > Django doesn't serve uploaded files in that setup. > > That being said, some users might be doing that anyway since setting > up production-worthy upload hosting is such a pain, and even if they > don't, they might have other views that somehow allow users to control > the response body. So I think this should be treated as a > not-super-severe-but-still-worth-fixing security issue. > > What backwards-compatibility considerations exist? Do we consider it > normal for upgrading to a different Django version to bust users' > caches? I can't immediately think of any bad consequences of changing > the hash function, apart from that one. Busting users' caches doesn't > sound that terrible, given that, even if the hash function were > changed on every release (which of course it wouldn't be; SHA-2 has > been the most generally-recommended hash function for 15 years and > there are no signs that this will change), it would still only happen > once every eight months, and it's fairly rare for anything to be > cached that long in the first place, I think. > > Taymon > > > On Thu, Sep 10, 2020 at 1:16 PM Francisco Couzo <francisco...@gmail.com> > wrote: > > > > User 1 uploads a file > > User 2 downloads it, and caches it > > User 1 uploads a new file to the same URL, with the same MD5 hash > > User 2 will keep using the old file indefinitely > > > > Sure, user 1 has to upload two files with the same hash on purpose > > > > On Thu, Sep 10, 2020 at 11:07 AM Adam Johnson <m...@adamj.eu> wrote: > >> > >> What would this protect against? > >> > >> On Thu, 10 Sep 2020 at 03:56, Francisco Couzo <francisco...@gmail.com> > wrote: > >>> > >>> I think it would be a good idea to make ConditionalGetMiddleware use a > hash function that's not as easy to find a collision as MD5, most probably > SHA-256 or BLAKE2. > >>> I don't see a problem with just changing it, it will just invalidate > the old cache. > >>> If there's an agreement on changing the hash function, I can make the > PR. > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> -- > >>> > >>> > >>> You received this message because you are subscribed to the Google > Groups "Django developers (Contributions to Django itself)" group. > >>> > >>> > >>> To unsubscribe from this group and stop receiving emails from it, send > an email to django-developers+unsubscr...@googlegroups.com. > >>> > >>> > >>> To view this discussion on the web visit > https://groups.google.com/d/msgid/django-developers/ff591d46-97fc-43d6-9d1c-d0ba24d7b1a8n%40googlegroups.com > . > >>> > >>> > >> -- > >> Adam > >> > >> -- > >> You received this message because you are subscribed to the Google > Groups "Django developers (Contributions to Django itself)" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an email to django-developers+unsubscr...@googlegroups.com. > >> To view this discussion on the web visit > https://groups.google.com/d/msgid/django-developers/CAMyDDM1Db5tRDNXQEMLuX6UdOmjhUq0_-Dr_9kK%3DB5AUqsXG%2Bg%40mail.gmail.com > . > > > > -- > > You received this message because you are subscribed to the Google > Groups "Django developers (Contributions to Django itself)" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to django-developers+unsubscr...@googlegroups.com. > > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-developers/CAHx8S1vpoP9txnZrV4fTfwRJBCF2q-QtjnYpw%2BwAgGKbg4V5yQ%40mail.gmail.com > . > > -- > You received this message because you are subscribed to the Google Groups > "Django developers (Contributions to Django itself)" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-developers+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-developers/CAHRQ%3D85KUrrsv%3DeY7YW%3DXb%3DeD%2BdY9-eeeQQW0YuB5ckDmUgfEg%40mail.gmail.com > . > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAHx8S1tk%2BjjKgpkOdaKyMti8DeLiLLcO6GxjHJTguc47Q-P80g%40mail.gmail.com.
