#36179 closed Bug (fixed)
hexed strings in common passwords database are not handled
| Reported by: | Michel Le Bihan | Owned by: | Michel Le Bihan |
|---|---|---|---|
| Component: | contrib.auth | Version: | 5.1 |
| Severity: | Normal | Keywords: | CommonPasswordValidator |
| Cc: | Triage Stage: | Ready for checkin | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description (last modified by )
Hello,
The common passwords database file (https://github.com/django/django/blob/main/django/contrib/auth/common-passwords.txt.gz) used by CommonPasswordValidator contains hexed strings like $hex[617364666a6b6c3a] on line 1679. That decodes to asdfjkl: which I believe is a common password that was intended to be included in the database. Another example is $hex[2623323333363a] on line 8616 that decodes to ठ:. I see that https://gist.github.com/roycewilliams/226886fd01572964e1431ac8afc999ce contains the line 50334:72aff1cfd90a90fd4174eb6dfdff5df7bbbe7e5b:$HEX[617364666a6b6c3a] and echo -n 'asdfjkl:' | sha1sum produces 72aff1cfd90a90fd4174eb6dfdff5df7bbbe7e5b. CommonPasswordValidator does not handle those hexed strings which I believe is wrong.
I propose to update the database file to decode the hexed values and remove those that obviously can't be entered by a user.
Change History (15)
comment:1 by , 9 months ago
| Description: | modified (diff) |
|---|
comment:2 by , 9 months ago
| Has patch: | set |
|---|
comment:3 by , 9 months ago
| Owner: | set to |
|---|---|
| Status: | new → assigned |
comment:4 by , 9 months ago
| Resolution: | → invalid |
|---|---|
| Status: | assigned → closed |
comment:5 by , 9 months ago
Hello,
I'm referring to those with : at the end. Please just search $hex in that file and you will notice the issue.
comment:6 by , 9 months ago
| Resolution: | invalid |
|---|---|
| Status: | closed → new |
comment:7 by , 9 months ago
comment:8 by , 9 months ago
| Triage Stage: | Unreviewed → Accepted |
|---|
Ah thank you!
Folks can de-hex using this tool: https://www.rapidtables.com/convert/number/hex-to-ascii.html
Here is a regression test:
-
tests/auth_tests/test_validators.py
a b class CommonPasswordValidatorTest(SimpleTestCase): 273 273 CommonPasswordValidator().validate("godzilla") 274 274 self.assertEqual(cm.exception.messages, [expected_error]) 275 275 276 def test_common_hexed_codes(self): 277 expected_error = "This password is too common." 278 common_hexed_passwords = ["asdfjkl:", "ठ:"] 279 for password in common_hexed_passwords: 280 with self.subTest(password=password): 281 with self.assertRaises(ValidationError) as cm: 282 CommonPasswordValidator().validate(password) 283 self.assertEqual(cm.exception.messages, [expected_error]) 284 276 285 def test_validate_custom_list(self): 277 286 path = os.path.join(
comment:9 by , 9 months ago
I sent a patch that unhexes the values in the database: https://github.com/django/django/pull/19155
comment:10 by , 9 months ago
| Patch needs improvement: | set |
|---|
While most of the $hex entries are removed, there's still one entry that's just $hex. I _believe_ this is an oversight, and not intentional.
comment:11 by , 9 months ago
| Patch needs improvement: | unset |
|---|---|
| Triage Stage: | Accepted → Ready for checkin |
Per discusison in the PR, seems like this is actually part of the dataset.
comment:12 by , 9 months ago
| Needs tests: | set |
|---|---|
| Triage Stage: | Ready for checkin → Accepted |
comment:13 by , 9 months ago
| Needs tests: | unset |
|---|---|
| Triage Stage: | Accepted → Ready for checkin |
Thank you for the ticket
I think you are referring to there passwords asdfjkl; and ठ (
;not:) which are validating correctly, the others are not in the list