Merge branch 'master' into 2023/django-5

CHANGES

@@ -1,12 +1,15 @@
 Version History
 ===============
 
-
 Version 0.6.0
 -------------
 * Only Django versions 4.2 or above are now supported
 * Removed the old rendering methods that were deprecated in 2017.
 
+Version 0.5.19
+--------------
+* SECURITY ISSUE: reset the random seed after an image was generated (#221, thanks @ibuler)
+
 Version 0.5.18
 --------------
 * Fix some typos in documentation (#210, thanks @stweil)

captcha/views.py

@@ -135,6 +135,13 @@ def captcha_image(request, key, scale=1):
     response.write(out.read())
     response["Content-length"] = out.tell()
 
+    # At line :50 above we fixed the random seed so that we always generate the
+    # same image, see: https://github.com/mbi/django-simple-captcha/pull/194
+    # This is a problem though, because knowledge of the seed will let an attacker
+    # predict the next random (globally). We therefore reset the random here.
+    # Reported in https://github.com/mbi/django-simple-captcha/pull/221
+    random.seed()
+
     return response
 
 

docs/conf.py

@@ -50,6 +50,7 @@
 #
 # The short X.Y version.
 version = "0.6.0"
+
 # The full version, including alpha/beta/rc tags.
 release = version
 

setup.py

@@ -32,7 +32,7 @@ def run_tests(self):
 
 
 install_requires = [
-    "Django >= 3.2",
+    "Django >= 4.2",
     "Pillow >=6.2.0",
     "django-ranged-response == 0.2.0",
 ]
@@ -59,7 +59,6 @@ def run_tests(self):
         "License :: OSI Approved :: MIT License",
         "Operating System :: OS Independent",
         "Programming Language :: Python",
-        "Programming Language :: Python :: 3.8",
         "Programming Language :: Python :: 3.9",
         "Programming Language :: Python :: 3.10",
         "Programming Language :: Python :: 3.11",