OK. Here is a proposal then.
The only place where CRYPT is used in the scaffolding app is in Auth.
Let's allows a new
auth.settings.hmac_key=None
set to None by default in Auth (not not break backward compatility)
but let's add a new line to welcome/models/db.py
auth.settings.hmac_key='change this line'
So that new apps use HMAC. This will not requires migrations and just
three lines changes. Would it satisfy you?
Massimo
On Aug 2, 2:45 pm, Jonathan Lundell <jlund...@pobox.com> wrote:
> On Aug 2, 2009, at 12:24 PM, mdipierro wrote:
>
>
>
> > But if there is a default key than everybody knows the default key.
> > What's the point? The key has to be passed and has to be unique for
> > every app.
>
> The point is that the resulting hashes aren't in publicly available
> precomputed rainbow tables.
>
> And the default key could be something like: key='change this key to
> something application-specific!'
>
> Better than unsalted MD5, and an easy-to-comply-with nudge to the
> developer.
>
> (Query: are SHAx HMAC keys arbitrary byte strings, or are they
> restricted in some way?)
>
>
>
> > On Aug 2, 1:52 pm, Fran <francisb...@googlemail.com> wrote:
> >> On Aug 2, 7:41 pm, Jonathan Lundell <jlund...@pobox.com> wrote:
>
> >>> Then let's make this the default, with a default key.
>
> >> +1
> >> An easy way to add /some/ security (i.e. helps against attacks which
> >> don't know about web2py) & if this is int he scaffolding app, then it
> >> makes it clearer that this is a change people should make in their
> >> own
> >> code...
>
> >> F
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To post to this group, send email to web2py@googlegroups.com
To unsubscribe from this group, send email to
web2py+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/web2py?hl=en
-~----------~----~----~----~------~----~------~--~---
