Improve order secret handling (#4139)

- use hmac.compare_digest for all secret comparisons - use salted_hmac with sha256 instead of plain sha1 for hashed secrets - move secret handling into helper functions
2026-05-06 15:24:02 +00:00 · 2024-05-23 14:30:16 +02:00
parent e93e5c047c
commit 05a2f411db
8 changed files with 251 additions and 42 deletions
--- a/src/pretix/base/migrations/0264_order_internal_secret.py
+++ b/src/pretix/base/migrations/0264_order_internal_secret.py
@@ -0,0 +1,24 @@
+# Generated by Django 4.2.11 on 2024-05-16 11:07
+
+from django.db import migrations, models
+
+import pretix.base.models.orders
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("pretixbase", "0263_auto_20240409_0732"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="order",
+            name="internal_secret",
+            field=models.CharField(
+                default=None,
+                max_length=32,
+                null=True,
+            ),
+        ),
+    ]