some1ataplace
commented
1 year ago The reason the format string of PGCRYPTO_KEY was removed in the latest version of django-pgcrypto-fields (version 2.3.0 onwards) is to improve security.
Previous versions of django-pgcrypto-fields used string interpolation to insert the value of settings.PGCRYPTO_KEY into the HMAC_SQL string, which can introduce a security vulnerability called SQL injection, where an attacker can manipulate the input data to execute malicious SQL code. Removing the format string and directly including the PGCRYPTO_KEY value in the HMAC_SQL string eliminates this vulnerability.
However, if you really need the old behavior, you can still use version 2.2.0 or earlier, or modify the source code of the latest version to include the format string.
Hello, i have an issue when using TextHmacField as an encrypted fields
First, i'm using version 2.1.1, then i check the attribute of "encrypt_sql" in TextHmacField
HMAC_SQL = "hmac(%s, '{}', 'sha512')".format(settings.PGCRYPTO_KEY)However, when i upgrade to the latest version of your library Suddenly, the format was changed into
HMAC_SQL = "hmac(%s, '{}', 'sha512')"Can you tell me why the format string of PGCRYPTO_KEY is removed?