diff options
| -rw-r--r-- | CHANGES.txt | 6 | ||||
| -rw-r--r-- | pyramid/session.py | 18 |
2 files changed, 19 insertions, 5 deletions
diff --git a/CHANGES.txt b/CHANGES.txt index 550dd0a39..feea11def 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -15,6 +15,12 @@ Bug Fixes allowing traversal to continue. See https://github.com/Pylons/pyramid/issues/1104 +Deprecations +------------ + +- The ``UnencryptedCookieSessionFactoryConfig`` has been deprecated and will + be replaced by the ``SignedCookieSessionFactory``. + 1.5a2 (2013-09-22) ================== diff --git a/pyramid/session.py b/pyramid/session.py index 800400223..803d56066 100644 --- a/pyramid/session.py +++ b/pyramid/session.py @@ -1,10 +1,10 @@ -import hashlib -from hashlib import sha1 import base64 import binascii +import hashlib import hmac -import time import os +import time +import warnings from zope.interface import implementer @@ -55,7 +55,7 @@ def signed_serialize(data, secret): response.set_cookie('signed_cookie', cookieval) """ pickled = pickle.dumps(data, pickle.HIGHEST_PROTOCOL) - sig = hmac.new(bytes_(secret), pickled, sha1).hexdigest() + sig = hmac.new(bytes_(secret), pickled, hashlib.sha1).hexdigest() return sig + native_(base64.b64encode(pickled)) def signed_deserialize(serialized, secret, hmac=hmac): @@ -79,7 +79,7 @@ def signed_deserialize(serialized, secret, hmac=hmac): # Badly formed data can make base64 die raise ValueError('Badly formed base64 data: %s' % e) - sig = bytes_(hmac.new(bytes_(secret), pickled, sha1).hexdigest()) + sig = bytes_(hmac.new(bytes_(secret), pickled, hashlib.sha1).hexdigest()) # Avoid timing attacks (see # http://seb.dbzteam.org/crypto/python-oauth-timing-hmac.pdf) @@ -424,6 +424,14 @@ def UnencryptedCookieSessionFactoryConfig( is valid. Default: ``signed_deserialize`` (using pickle). """ + warnings.warn( + ('The UnencryptedCookieSessionFactoryConfig is deprecated as of ' + 'Pyramid 1.5, and will be replaced by the ' + 'SignedCookieSessionFactory in future versions.'), + DeprecationWarning, + stacklevel=2 + ) + return BaseCookieSessionFactory( lambda v: signed_serialize(v, secret), lambda v: signed_deserialize(v, secret), |