On Wed, Oct 12, 2022 at 3:25 PM 'Adam Johnson' via Django developers (Contributions to Django itself) <django-developers@googlegroups.com> wrote:
> Thank you for diving into this John! All seems sensible then. > Yeah, the threat model here is you have, say, Endpoints A and B that each work with HMAC'd values, and Endpoint A generates them based at least in part on user input. With some cleverness, an attacker might figure out how to get Endpoint A to generate an HMAC that Endpoint B will accept as valid. Now, imagine that Endpoint B is, say, password reset. This is why uses of HMAC should be namespaced. It's maybe unfortunate that the exact keyword argument is named "salt" when people are used to that being a unique-per-call random value rather than a constant, but a constant is the expected pattern for many usages of HMAC in Django and in Django apps. -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAL13Cg-vH4Otf6QWDnHpeYbufsDQfWfxhJ-1TF%3DS_iBk8CL%2BVw%40mail.gmail.com.
