SECRET_KEY is hardcoded and public, but actually unused
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
MAAS |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Since January 2012, MAAS has included a hard-coded SECRET_KEY in settings.py
https:/
or for LP https:/
This (supposedly) secret key is used by Django in various cryptographic functions and should be kept secret, as the name implies. As it is, every MAAS installation not only uses the same key, but it's been publicly readable since the commit in 2012.
MAAS doesn't actually use the SECRET_KEY for any feature (since it uses database sessions for user authentication and no Django crypto feature).
The config should contain a placeholder value and have a comment to make it clear it's unused.
Related branches
- Adam Collard (community): Approve
- MAAS Lander: Pending (unittests) requested
-
Diff: 17 lines (+4/-2)1 file modifiedsrc/maasserver/djangosettings/settings.py (+4/-2)
summary: |
- SECRET_KEY is hardcoded and public + SECRET_KEY is hardcoded and public, but actually unused |
description: | updated |
information type: | Private Security → Public |
Changed in maas: | |
milestone: | none → next |
status: | New → Fix Committed |
Changed in maas: | |
milestone: | next → none |
status: | Fix Committed → Fix Released |