Opened 13 years ago
Closed 13 years ago
#19687 closed Bug (duplicate)
UnsaltedMD5PasswordHasher throws exception on verify() with md5$$SALT
| Reported by: | Owned by: | nobody | |
|---|---|---|---|
| Component: | contrib.auth | Version: | 1.4 |
| Severity: | Normal | Keywords: | login |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | yes | UI/UX: | no |
Description
After upgrading from v1.2.7 to 1.4.3, users had no way of logging in.
I noticed that the UnsaltedMD5PasswordHasher.verify() was passing the wrong arguments to constant_time_compare(). The arg "encoded" includes the algorithm and prefix "md5$$", so we need to strip it out first.
Should change:
return constant_time_compare(encoded, encoded_2
To:
return constant_time_compare(encoded[5:], encoded_2)
Note:
See TracTickets
for help on using tickets.
I've made a pull request at https://github.com/django/django/pull/681