| 123456789101112131415161718192021222324252627 |
- =========================
- Oscar 1.5.3 release notes
- =========================
-
- :release: 2018-04-11
-
- This is Oscar 1.5.3, a security release.
-
- A security vulnerability existed in the mechanism used to generate verification
- hashes for anonymous orders. This has been fixed in this release.
-
- ``oscar.apps.order.Order.verification_hash()`` now uses
- ``django.core.signing`` instead of generating its own MD5 hash for
- tracking URLs for anonymous orders.
-
- Projects that allow anonymous checkout are **strongly recommended** to
- generate a new ``SECRET_KEY``, as the vulnerability exposed the
- ``SECRET_KEY`` to potential exposure due to weaknesses in the hash generation
- algorithm.
-
- As a result of this change, order verification hashes generated previously
- will no longer validate by default, and URLs generated with the old hash will
- not be accessible.
-
- Projects that wish to allow validation of old hashes
- must specify a ``OSCAR_DEPRECATED_ORDER_VERIFY_KEY`` setting that is equal to
- the ``SECRET_KEY`` that was in use prior to applying this change.
|
