Add backward compatible order verification hash checking.

This can be enabled by specifying a `OSCAR_DEPRECATED_ORDER_VERIFY_KEY` setting, which is not set by default.

This allows projects to continue validating old order verification hashes while still changing the `SECRET_KEY`.

docs/source/releases/v1.6.rst

@@ -109,13 +109,32 @@ Minor changes
    allowed quantity in it based on product availability and basket threshold
    (see :issue:`1412`).
 
- - An unused setting ``OSCAR_SETTINGS`` was removed from ``oscar.core.defaults``.   
+ - An unused setting ``OSCAR_SETTINGS`` was removed from ``oscar.core.defaults``.
 
 .. _incompatible_in_1.6:
 
 Backwards incompatible changes in Oscar 1.6
 -------------------------------------------
 
+ - The mechanism used to generate verification hashes for anonymous orders was
+   changed due to a security vulnerability.
+   ``oscar.apps.order.Order.verification_hash()`` now uses
+   ``django.core.signing`` instead of generating its own MD5 hash for
+    tracking URLs for anonymous orders.
+
+   Projects that allow anonymous checkout are **strongly recommended** to
+   generate a new ``SECRET_KEY``, as the vulnerability exposed the
+   ``SECRET_KEY`` to potential exposure due to weaknesses in the hash generation
+   algorithm.
+
+   As a result of this change, order verification hashes generated previously
+   will no longer validate by default, and URLs generated with the old hash will
+   not be accessible.
+
+   Projects that wish to allow validation of old hashes
+   must specify a ``OSCAR_DEPRECATED_ORDER_VERIFY_KEY`` setting that is equal to
+   the ``SECRET_KEY`` that was in use prior to applying this change.
+
  - ``oscar.apps.customer.auth_backends.EmailBackend`` now rejects inactive users
    (where ``User.is_active`` is ``False``).
 

src/oscar/apps/order/abstract_models.py

@@ -1,7 +1,10 @@
+import hashlib
+import logging
 from collections import OrderedDict
 from decimal import Decimal as D
 
 from django.conf import settings
+from django.core.exceptions import ImproperlyConfigured
 from django.core.signing import BadSignature, Signer
 from django.db import models
 from django.db.models import Sum
@@ -22,6 +25,9 @@ from oscar.models.fields import AutoSlugField
 from . import exceptions
 
 
+logger = logging.getLogger('oscar.order')
+
+
 @python_2_unicode_compatible
 class AbstractOrder(models.Model):
     """
@@ -303,11 +309,38 @@ class AbstractOrder(models.Model):
         signer = Signer(salt='oscar.apps.order.Order')
         return signer.sign(self.number)
 
+    def check_deprecated_verification_hash(self, hash_to_check):
+        """
+        Backward compatible check for md5 hashes that were generated in
+        Oscar 1.5 and lower.
+
+        This must explicitly be enabled by setting OSCAR_DEPRECATED_ORDER_VERIFY_KEY,
+        which must not be equal to SECRET_KEY - i.e., the project must
+        have changed its SECRET_KEY since this change was applied.
+
+        TODO: deprecate this method in Oscar 2.0, and remove it in Oscar 2.1.
+        """
+        old_verification_key = getattr(settings, 'OSCAR_DEPRECATED_ORDER_VERIFY_KEY', None)
+        if old_verification_key is None:
+            return False
+
+        if old_verification_key == settings.SECRET_KEY:
+            raise ImproperlyConfigured(
+                'OSCAR_DEPRECATED_ORDER_VERIFY_KEY cannot be equal to SECRET_KEY')
+
+        logger.warning('Using insecure md5 hashing for order URL hash verification.')
+        string_to_hash = '%s%s' % (self.number, old_verification_key)
+        order_hash = hashlib.md5(string_to_hash.encode('utf8')).hexdigest()
+        return constant_time_compare(order_hash, hash_to_check)
+
     def check_verification_hash(self, hash_to_check):
         """
         Checks the received verification hash against this order number.
         Returns False if the verification failed, True otherwise.
         """
+        if self.check_deprecated_verification_hash(hash_to_check):
+            return True
+
         signer = Signer(salt='oscar.apps.order.Order')
         try:
             signed_number = signer.unsign(hash_to_check)

tests/integration/order/test_models.py

@@ -1,6 +1,7 @@
 from datetime import timedelta, datetime
 from decimal import Decimal as D
 
+from django.core.exceptions import ImproperlyConfigured
 from django.test import TestCase, override_settings
 from django.utils import timezone
 from django.utils.translation import ugettext_lazy as _
@@ -412,3 +413,29 @@ class OrderTests(TestCase):
         order = OrderFactory(number='111000')
         # Hash is valid, but it is for a different order number
         self.assertFalse(order.check_verification_hash('222000:knvoMB1KAiJu8meWtGce00Y88j4'))
+
+    @override_settings(OSCAR_DEPRECATED_ORDER_VERIFY_KEY='deprecated_order_hash_secret')
+    def test_check_deprecated_hash_verification(self):
+        order = OrderFactory(number='100001')
+        # Check that check_deprecated_verification_hash validates the hash
+        self.assertTrue(
+            order.check_deprecated_verification_hash('3efd0339e8c789447469f37851cbaaaf')
+        )
+        # Check that check_verification_hash calls it correctly
+        self.assertTrue(order.check_verification_hash('3efd0339e8c789447469f37851cbaaaf'))
+
+    def test_check_deprecated_hash_verification_without_old_key(self):
+        order = OrderFactory(number='100001')
+        # Check that check_deprecated_verification_hash validates the hash
+        self.assertFalse(
+            order.check_deprecated_verification_hash('3efd0339e8c789447469f37851cbaaaf')
+        )
+
+    @override_settings(
+        OSCAR_DEPRECATED_ORDER_VERIFY_KEY='deprecated_order_hash_secret',
+        SECRET_KEY='deprecated_order_hash_secret')
+    def test_check_deprecated_hash_verification_old_key_matches_new(self):
+        order = OrderFactory(number='100001')
+        # OSCAR_DEPRECATED_ORDER_VERIFY_KEY must not be equal to SECRET_KEY.
+        with self.assertRaises(ImproperlyConfigured):
+            order.check_deprecated_verification_hash('3efd0339e8c789447469f37851cbaaaf')