Also use md5 for constructing key for hmac.

119d7768 · Brian Wilson · 919b4338 · 119d7768 · 119d7768
Commit 119d7768 authored Jun 02, 2014 by Brian Wilson
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 5 deletions

common/djangoapps/track/middleware.py
+5 -5

common/djangoapps/track/tests/test_middleware.py
+1 -0

No files found.
--- a/common/djangoapps/track/middleware.py
+++ b/common/djangoapps/track/middleware.py
@@ -125,12 +125,12 @@ class TrackMiddleware(object):
            return ''
        # Follow the model of django.utils.crypto.salted_hmac() and
-        # django.contrib.sessions.backends.base._hash(), but use MD5
+        # django.contrib.sessions.backends.base._hash() but use MD5
-        # so that the result has the same length (32) as the original
+        # instead of SHA1 so that the result has the same length (32)
-        # session_key.
+        # as the original session_key.
        key_salt = "common.djangoapps.track" + self.__class__.__name__
-        key = hashlib.sha1(key_salt + settings.SECRET_KEY).digest()
+        key = hashlib.md5(key_salt + settings.SECRET_KEY).digest()
-        encrypted_session_key = hmac.new(key, msg=session_key).hexdigest()
+        encrypted_session_key = hmac.new(key, msg=session_key, digestmod=hashlib.md5).hexdigest()
        return encrypted_session_key
    def get_user_primary_key(self, request):

--- a/common/djangoapps/track/tests/test_middleware.py
+++ b/common/djangoapps/track/tests/test_middleware.py
@@ -118,6 +118,7 @@ class TrackMiddlewareTestCase(TestCase):
        request.session.save()
        session_key = request.session.session_key
        expected_session_key = self.track_middleware.encrypt_session_key(session_key)
+        self.assertEquals(len(session_key), len(expected_session_key))
        context = self.get_context_for_request(request)
        self.assert_dict_subset(context, {
            'session': expected_session_key,