Oscar 1.5.3 release notesΒΆ
- release
2018-04-11
This is Oscar 1.5.3, a security release.
A security vulnerability existed in the mechanism used to generate verification hashes for anonymous orders. This has been fixed in this release.
oscar.apps.order.Order.verification_hash()
now uses
django.core.signing
instead of generating its own MD5 hash for
tracking URLs for anonymous orders.
Projects that allow anonymous checkout are strongly recommended to
generate a new SECRET_KEY
, as the vulnerability exposed the
SECRET_KEY
to potential exposure due to weaknesses in the hash generation
algorithm.
As a result of this change, order verification hashes generated previously will no longer validate by default, and URLs generated with the old hash will not be accessible.
Projects that wish to allow validation of old hashes
must specify a OSCAR_DEPRECATED_ORDER_VERIFY_KEY
setting that is equal to
the SECRET_KEY
that was in use prior to applying this change.