Use secure hash algorithm in WebConfiguration.sign_text
Fix: PendingDeprecationWarning: HMAC() without an explicit digestmod argument is deprecated.
The default hash algorithm used by hmac.new is md5. As of today, md5 is so weak
that it's the equivalent of plaintext and can't be considered to be secured at all.
Therefor, we switch to a secure hash algorithm.
The rational for choosing sha3_512 is:
* the recommended algorithm is at least sha_256
* the stronger, the more secured and sha3_512 is the stronger available
* thinking about the future this should keep this part of the code safe long
enough before people think about checking it again
You can read more about choosing a secure hash algorithm in the NIST
recommendations https://csrc.nist.gov/Projects/Hash-Functions/NIST-Policy-on-Hash-Functions
This code modification should normally be transparent since check_text_sign is
exactly this code 'self.sign_text(text) == signature' and that sign_text is
only used in combination with it. The only impact is that the hash is going to
move from 32 char to 128 which might make html page a bit bigger and that
sha3_512 is slow to compute (which is a good thing for security)
CubicWeb semantic web framework
===============================
CubicWeb is a entities / relations based knowledge management system
developped at Logilab.
This package contains:
- a repository server
- a RQL command line client to the repository
- an adaptative modpython interface to the server
- a bunch of other management tools
Install
-------
More details at https://cubicweb.readthedocs.io/en/3.26/book/admin/setup
Getting started
---------------
Execute::
python3 -m venv venv
source venv/bin/activate
pip install 'cubicweb[pyramid]' cubicweb-blog
cubicweb-ctl create blog myblog
# read how to create your ~/etc/cubicweb.d/myblog/pyramid.ini file here:
# https://cubicweb.readthedocs.io/en/latest/book/pyramid/settings/#pyramid-settings-file
# then start your instance:
cubicweb-ctl pyramid -D myblog
sensible-browser http://localhost:8080/
Details at https://cubicweb.readthedocs.io/en/3.26/tutorials/base/blog-in-five-minutes
You can also look at the latest builds on Logilab's jenkins:
https://jenkins.logilab.org/
Test
----
Simply run the `tox` command in the root folder of this repository:
tox
How to install tox: https://tox.readthedocs.io/en/latest/install.html
Documentation
-------------
Look in the doc/ subdirectory or read https://cubicweb.readthedocs.io/en/3.26/
CubicWeb includes the Entypo pictograms by Daniel Bruce — http://www.entypo.com
Contributing
------------
Patches should be submitted by email at the cubicweb-devel@lists.cubicweb.org
mailing list in order to get reviewed by project integrators or any community
member.
The simplest way of send patches is to use the ``hg email`` command available
through the *patchbomb* extension of Mercurial. Preferably, patches should be
*in the message body* of emails. When submitting a revised version of a patch
series, a prefix indicating the iteration number ``<n>`` of the series should
be added to email subject prefixes; this can be achieved by specifying a
``--flag v<n>`` option to ``hg email`` command. If needed you can also use the
--in-reply-to option.
Examples:
hg email --to cubicweb-devel@lists.cubicweb.org --intro -r <start>::<end>
hg email --flag V2 --to cubicweb-devel@lists.cubicweb.org -r <start>::<end>
If you have any questions you can also come on Logilab's public XMPP room using
a XMPP client: public@conference.jabber.logilab.org
Mailing list: https://lists.cubicweb.org/mailman/listinfo/cubicweb-devel
Patchbomb extension: https://www.mercurial-scm.org/wiki/PatchbombExtension
Good practice on sending email patches: https://www.mercurial-scm.org/wiki/ContributingChanges#Emailing_patches