Oscar 1.5.3 release notes¶
This is Oscar 1.5.3, a security release.
A security vulnerability existed in the mechanism used to generate verification hashes for anonymous orders. This has been fixed in this release.
oscar.apps.order.Order.verification_hash() now uses
django.core.signing instead of generating its own MD5 hash for
tracking URLs for anonymous orders.
Projects that allow anonymous checkout are strongly recommended to
generate a new
SECRET_KEY, as the vulnerability exposed the
SECRET_KEY to potential exposure due to weaknesses in the hash generation
As a result of this change, order verification hashes generated previously will no longer validate by default, and URLs generated with the old hash will not be accessible.
Projects that wish to allow validation of old hashes
must specify a
OSCAR_DEPRECATED_ORDER_VERIFY_KEY setting that is equal to
SECRET_KEY that was in use prior to applying this change.