Security: rename WEBHOOK_AUTHORIZATION --> WEBHOOK_SECRET

This fixes a low severity security issue affecting Anymail v0.2--v1.3.

Django error reporting includes the value of your Anymail
WEBHOOK_AUTHORIZATION setting. In a properly-configured deployment,
this should not be cause for concern. But if you have somehow exposed
your Django error reports (e.g., by mis-deploying with DEBUG=True or by
sending error reports through insecure channels), anyone who gains
access to those reports could discover your webhook shared secret. An
attacker could use this to post fabricated or malicious Anymail
tracking/inbound events to your app, if you are using those Anymail
features.

The fix renames Anymail's webhook shared secret setting so that
Django's error reporting mechanism will [sanitize][0] it.

If you are using Anymail's event tracking and/or inbound webhooks, you
should upgrade to this release and change "WEBHOOK_AUTHORIZATION" to
"WEBHOOK_SECRET" in the ANYMAIL section of your settings.py. You may
also want to [rotate the shared secret][1] value, particularly if you
have ever exposed your Django error reports to untrusted individuals.

If you are only using Anymail's EmailBackends for sending email and
have not set up Anymail's webhooks, this issue does not affect you.

The old WEBHOOK_AUTHORIZATION setting is still allowed in this release,
but will issue a system-check warning when running most Django
management commands. It will be removed completely in a near-future
release, as a breaking change.

Thanks to Charlie DeTar (@yourcelf) for responsibly reporting this
security issue through private channels.

[0]: https://docs.djangoproject.com/en/stable/ref/settings/#debug
[1]: https://anymail.readthedocs.io/en/1.4/tips/securing_webhooks/#use-a-shared-authorization-secret

Author: medmunds

anymail/apps.py

@@ -1,9 +1,12 @@
 from django.apps import AppConfig
+from django.core import checks
+
+from .checks import check_deprecated_settings
 
 
 class AnymailBaseConfig(AppConfig):
     name = 'anymail'
     verbose_name = "Anymail"
 
     def ready(self):
-        pass
+        checks.register(check_deprecated_settings)

anymail/checks.py

@@ -0,0 +1,24 @@
+from django.conf import settings
+from django.core import checks
+
+
+def check_deprecated_settings(app_configs, **kwargs):
+    errors = []
+
+    anymail_settings = getattr(settings, "ANYMAIL", {})
+
+    # anymail.W001: rename WEBHOOK_AUTHORIZATION to WEBHOOK_SECRET
+    if "WEBHOOK_AUTHORIZATION" in anymail_settings:
+        errors.append(checks.Warning(
+            "The ANYMAIL setting 'WEBHOOK_AUTHORIZATION' has been renamed 'WEBHOOK_SECRET' to improve security.",
+            hint="You must update your settings.py. The old name will stop working in a near-future release.",
+            id="anymail.W001",
+        ))
+    if hasattr(settings, "ANYMAIL_WEBHOOK_AUTHORIZATION"):
+        errors.append(checks.Warning(
+            "The ANYMAIL_WEBHOOK_AUTHORIZATION setting has been renamed ANYMAIL_WEBHOOK_SECRET to improve security.",
+            hint="You must update your settings.py. The old name will stop working in a near-future release.",
+            id="anymail.W001",
+        ))
+
+    return errors

anymail/webhooks/base.py

@@ -24,15 +24,19 @@ class AnymailBasicAuthMixin(object):
     basic_auth = None  # (Declaring class attr allows override by kwargs in View.as_view.)
 
     def __init__(self, **kwargs):
-        self.basic_auth = get_anymail_setting('webhook_authorization', default=[],
+        self.basic_auth = get_anymail_setting('webhook_secret', default=[],
                                               kwargs=kwargs)  # no esp_name -- auth is shared between ESPs
+        if not self.basic_auth:
+            # Temporarily allow deprecated WEBHOOK_AUTHORIZATION setting
+            self.basic_auth = get_anymail_setting('webhook_authorization', default=[], kwargs=kwargs)
+
         # Allow a single string:
         if isinstance(self.basic_auth, six.string_types):
             self.basic_auth = [self.basic_auth]
         if self.warn_if_no_basic_auth and len(self.basic_auth) < 1:
             warnings.warn(
                 "Your Anymail webhooks are insecure and open to anyone on the web. "
-                "You should set WEBHOOK_AUTHORIZATION in your ANYMAIL settings. "
+                "You should set WEBHOOK_SECRET in your ANYMAIL settings. "
                 "See 'Securing webhooks' in the Anymail docs.",
                 AnymailInsecureWebhookWarning)
         # noinspection PyArgumentList

docs/esps/mailgun.rst

@@ -197,7 +197,7 @@ for all events you want to receive:
 
    :samp:`https://{random}:{random}@{yoursite.example.com}/anymail/mailgun/tracking/`
 
-     * *random:random* is an :setting:`ANYMAIL_WEBHOOK_AUTHORIZATION` shared secret
+     * *random:random* is an :setting:`ANYMAIL_WEBHOOK_SECRET` shared secret
      * *yoursite.example.com* is your Django site
 
 If you use multiple Mailgun sending domains, you'll need to enter the webhook
@@ -232,7 +232,7 @@ The *action* for your route will be either:
    :samp:`forward("https://{random}:{random}@{yoursite.example.com}/anymail/mailgun/inbound/")`
    :samp:`forward("https://{random}:{random}@{yoursite.example.com}/anymail/mailgun/inbound_mime/")`
 
-     * *random:random* is an :setting:`ANYMAIL_WEBHOOK_AUTHORIZATION` shared secret
+     * *random:random* is an :setting:`ANYMAIL_WEBHOOK_SECRET` shared secret
      * *yoursite.example.com* is your Django site
 
 Anymail accepts either of Mailgun's "fully-parsed" (.../inbound/) and "raw MIME" (.../inbound_mime/)

docs/esps/mailjet.rst

@@ -232,7 +232,7 @@ the url in your Mailjet account REST API settings under `Event tracking (trigger
 
    :samp:`https://{random}:{random}@{yoursite.example.com}/anymail/mailjet/tracking/`
 
-     * *random:random* is an :setting:`ANYMAIL_WEBHOOK_AUTHORIZATION` shared secret
+     * *random:random* is an :setting:`ANYMAIL_WEBHOOK_SECRET` shared secret
      * *yoursite.example.com* is your Django site
 
 Be sure to enter the URL in the Mailjet settings for all the event types you want to receive.
@@ -263,7 +263,7 @@ The parseroute Url parameter will be:
 
    :samp:`https://{random}:{random}@{yoursite.example.com}/anymail/mailjet/inbound/`
 
-     * *random:random* is an :setting:`ANYMAIL_WEBHOOK_AUTHORIZATION` shared secret
+     * *random:random* is an :setting:`ANYMAIL_WEBHOOK_SECRET` shared secret
      * *yoursite.example.com* is your Django site
 
 Once you've done Mailjet's "basic setup" to configure the Parse API webhook, you can skip

docs/esps/mandrill.rst

@@ -206,7 +206,7 @@ requires deploying your Django project twice:
 
       :samp:`https://{random}:{random}@{yoursite.example.com}/anymail/mandrill/`
 
-        * *random:random* is an :setting:`ANYMAIL_WEBHOOK_AUTHORIZATION` shared secret
+        * *random:random* is an :setting:`ANYMAIL_WEBHOOK_SECRET` shared secret
         * *yoursite.example.com* is your Django site
         * (Note: Unlike Anymail's other supported ESPs, the Mandrill webhook uses this
           single url for both tracking and inbound events.)

docs/esps/postmark.rst

@@ -181,7 +181,7 @@ want to receive all these types of events):
 
    :samp:`https://{random}:{random}@{yoursite.example.com}/anymail/postmark/tracking/`
 
-     * *random:random* is an :setting:`ANYMAIL_WEBHOOK_AUTHORIZATION` shared secret
+     * *random:random* is an :setting:`ANYMAIL_WEBHOOK_SECRET` shared secret
      * *yoursite.example.com* is your Django site
 
 Anymail doesn't care about the "include bounce content" and "post only on first open"
@@ -216,7 +216,7 @@ The InboundHookUrl setting will be:
 
    :samp:`https://{random}:{random}@{yoursite.example.com}/anymail/postmark/inbound/`
 
-     * *random:random* is an :setting:`ANYMAIL_WEBHOOK_AUTHORIZATION` shared secret
+     * *random:random* is an :setting:`ANYMAIL_WEBHOOK_SECRET` shared secret
      * *yoursite.example.com* is your Django site
 
 Anymail handles the "parse an email" part of Postmark's instructions for you, but you'll

docs/esps/sendgrid.rst

@@ -284,7 +284,7 @@ the url in your `SendGrid mail settings`_, under "Event Notification":
 
    :samp:`https://{random}:{random}@{yoursite.example.com}/anymail/sendgrid/tracking/`
 
-     * *random:random* is an :setting:`ANYMAIL_WEBHOOK_AUTHORIZATION` shared secret
+     * *random:random* is an :setting:`ANYMAIL_WEBHOOK_SECRET` shared secret
      * *yoursite.example.com* is your Django site
 
 Be sure to check the boxes in the SendGrid settings for the event types you want to receive.
@@ -315,7 +315,7 @@ The Destination URL setting will be:
 
    :samp:`https://{random}:{random}@{yoursite.example.com}/anymail/sendgrid/inbound/`
 
-     * *random:random* is an :setting:`ANYMAIL_WEBHOOK_AUTHORIZATION` shared secret
+     * *random:random* is an :setting:`ANYMAIL_WEBHOOK_SECRET` shared secret
      * *yoursite.example.com* is your Django site
 
 Be sure the URL has a trailing slash. (SendGrid's inbound processing won't follow Django's

docs/esps/sparkpost.rst

@@ -197,7 +197,7 @@ webhook in your `SparkPost account settings under "Webhooks"`_:
 
 * Target URL: :samp:`https://{yoursite.example.com}/anymail/sparkpost/tracking/`
 * Authentication: choose "Basic Auth." For username and password enter the two halves of the
-  *random:random* shared secret you created for your :setting:`ANYMAIL_WEBHOOK_AUTHORIZATION`
+  *random:random* shared secret you created for your :setting:`ANYMAIL_WEBHOOK_SECRET`
   Django setting. (Anymail doesn't support OAuth webhook auth.)
 * Events: click "Select" and then *clear* the checkbox for "Relay Events" category (which is for
   inbound email). You can leave all the other categories of events checked, or disable
@@ -235,7 +235,7 @@ The target parameter for the Relay Webhook will be:
 
    :samp:`https://{random}:{random}@{yoursite.example.com}/anymail/sparkpost/inbound/`
 
-     * *random:random* is an :setting:`ANYMAIL_WEBHOOK_AUTHORIZATION` shared secret
+     * *random:random* is an :setting:`ANYMAIL_WEBHOOK_SECRET` shared secret
      * *yoursite.example.com* is your Django site
 
 .. _Enabling Inbound Email Relaying:

docs/installation.rst

@@ -98,22 +98,22 @@ Skip this section if you won't be using Anymail's webhooks.
     or subject your app to malicious input data.
 
     At a minimum, your site should **use https** and you should
-    configure **webhook authorization** as described below.
+    configure a **webhook secret** as described below.
 
     See :ref:`securing-webhooks` for additional information.
 
 
 If you want to use Anymail's inbound or tracking webhooks:
 
 1. In your :file:`settings.py`, add
-   :setting:`WEBHOOK_AUTHORIZATION <ANYMAIL_WEBHOOK_AUTHORIZATION>`
+   :setting:`WEBHOOK_SECRET <ANYMAIL_WEBHOOK_SECRET>`
    to the ``ANYMAIL`` block:
 
    .. code-block:: python
 
       ANYMAIL = {
           ...
-          'WEBHOOK_AUTHORIZATION': '<a random string>:<another random string>',
+          'WEBHOOK_SECRET': '<a random string>:<another random string>',
       }
 
    This setting should be a string with two sequences of random characters,
@@ -133,7 +133,7 @@ If you want to use Anymail's inbound or tracking webhooks:
 
    (This setting is actually an HTTP basic auth string. You can also set it
    to a list of auth strings, to simplify credential rotation or use different auth
-   with different ESPs. See :setting:`ANYMAIL_WEBHOOK_AUTHORIZATION` in the
+   with different ESPs. See :setting:`ANYMAIL_WEBHOOK_SECRET` in the
    :ref:`securing-webhooks` docs for more details.)
 
 
@@ -160,7 +160,7 @@ If you want to use Anymail's inbound or tracking webhooks:
    :samp:`https://{random}:{random}@{yoursite.example.com}/anymail/{esp}/{type}/`
 
      * "https" (rather than http) is *strongly recommended*
-     * *random:random* is the WEBHOOK_AUTHORIZATION string you created in step 1
+     * *random:random* is the WEBHOOK_SECRET string you created in step 1
      * *yoursite.example.com* is your Django site
      * "anymail" is the url prefix (from step 2)
      * *esp* is the lowercase name of your ESP (e.g., "sendgrid" or "mailgun")
@@ -266,20 +266,26 @@ Set to `True` to ignore these problems and send the email anyway. See
 :ref:`unsupported-features`. (Default `False`.)
 
 
-.. rubric:: WEBHOOK_AUTHORIZATION
+.. rubric:: WEBHOOK_SECRET
 
 A `'random:random'` shared secret string. Anymail will reject incoming webhook calls
 from your ESP that don't include this authorization. You can also give a list of
 shared secret strings, and Anymail will allow ESP webhook calls that match any of them
 (to facilitate credential rotation). See :ref:`securing-webhooks`.
 
 Default is unset, which leaves your webhooks insecure. Anymail
-will warn if you try to use webhooks with setting up authorization.
+will warn if you try to use webhooks without a shared secret.
 
 This is actually implemented using HTTP basic authorization, and the string is
 technically a "username:password" format. But you should *not* use any real
 username or password for this shared secret.
 
+.. versionchanged:: 1.4
+
+    The earlier WEBHOOK_AUTHORIZATION setting was renamed WEBHOOK_SECRET, so that
+    Django error reporting sanitizes it. The old name is still allowed in v1.4,
+    but will be removed in a near-future release. You should update your settings.
+
 
 .. setting:: ANYMAIL_REQUESTS_TIMEOUT