如果在dumps
method in signing.py
仔细观察,你会发现它接受一个关键的签名密钥:
如果关键是没有,settings.SECRET_KEY来代替。
def dumps(obj, key=None, salt='django.core.signing', serializer=JSONSerializer, compress=False):
"""
Returns URL-safe, sha1 signed base64 compressed JSON string. If key is
None, settings.SECRET_KEY is used instead.
If compress is True (not the default) checks if compressing using zlib can
save some space. Prepends a '.' to signify compression. This is included
in the signature, to protect against zip bombs.
Salt can be used to namespace the hash, so that a signed string is
only valid for a given namespace. Leaving this at the default
value or re-using a salt value across different parts of your
application without good cause is a security risk.
The serializer is expected to return a bytestring.
"""
因此,所有你需要做的就是绕过每次不同的密钥:
SECRET_KEY = "abc"
print signing.dumps("value", key=SECRET_KEY)
SECRET_KEY = "123"
print signing.dumps("value", key=SECRET_KEY)
也就是说,这看起来像一个坏主意,我因为你没有使用默认签名键。如果您确实需要签署文本,请使用Signer class
创建并实例化新对象,并使用它,如Signer(key="NEW KEY")
。
您还可以使用:signer = Signer('my-other-secret')来设置密钥 – jbiz