Comments (1)
some1ataplace
commented on June 20, 2024
The reason the format string of PGCRYPTO_KEY was removed in the latest version of django-pgcrypto-fields (version 2.3.0 onwards) is to improve security.
Previous versions of django-pgcrypto-fields used string interpolation to insert the value of settings.PGCRYPTO_KEY into the HMAC_SQL string, which can introduce a security vulnerability called SQL injection, where an attacker can manipulate the input data to execute malicious SQL code. Removing the format string and directly including the PGCRYPTO_KEY value in the HMAC_SQL string eliminates this vulnerability.
However, if you really need the old behavior, you can still use version 2.2.0 or earlier, or modify the source code of the latest version to include the format string.
from django-pgcrypto-fields.
Related Issues (20)
- Dynamic PGCRYPTO_KEY HOT 4
- Unique constraints HOT 3
- Single quote in PGCRYPTO_KEY string causes syntax error HOT 2
- Support of type BOOLEAN field HOT 2
- TypeError: %i format: a number is required, not str HOT 3
- DateTimePGPSymmetricKeyField does not save with timezone info, is this a defect? HOT 1
- How to retrieve raw encrypted value? HOT 2
- ExternalRoutineInvocationException: Need password for secret key HOT 2
- Want to know Encryption type AES128 or AES256 is used? HOT 1
- `__in` type queries do not work with encrypted fields? HOT 1
- problem with Decimal fields HOT 5
- Sharing encrypted DB in multiple Django projects HOT 1
- Performance HOT 1
- Release master to PyPI HOT 4
- Length of character varying columns in database is insufficient HOT 1
- function pgp_pub_decrypt(character varying, bytea) does not exist
- Indexing alternatives on these fields
- missing BooleanPGPSymmetricKeyField HOT 1
- Django 5.0 and Python 3.11 support
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from django-pgcrypto-fields.