Code

Opened 5 years ago

Closed 5 years ago

Last modified 3 years ago

#10265 closed (fixed)

_make_token_with_timestamp inconsistent based on User.last_login

Reported by: felix Owned by: nobody
Component: Contrib apps Version: 1.0
Severity: Keywords: auth token login
Cc: crucialfelix@… Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description (last modified by Alex)

default token generator makes inconsistent tokens depending on if the user has been loaded from the db or has just been created during this response

the difference is that a User just created has a last_login with microseconds set, but when reloaded from the db it does not and the token generator uses unicode(user.last_login) in the hash

>>> from django.contrib.auth.models import User
>>> u1 = User.objects.create_user("username","user@email.com","password")
>>> u1.last_login
datetime.datetime(2009, 2, 14, 16, 5, 3, 638275)
>>> unicode(u1.last_login)
u'2009-02-14 16:05:03.638275'

>>> u2 = User.objects.all()[0]
>>> u2
<User: crucial>
>>> u2.last_login
datetime.datetime(2009, 2, 14, 15, 47, 20)
>>> unicode(u2.last_login)
u'2009-02-14 15:47:20'

(as an aside, I don't think that a user should be created with a last login of now.
a new user has never logged in.)

# user just made, generate token:
making token 3 2009-02-14 16:24:33.632380 2966
2ae-c3c68b86d5148e768353

# user comes to site, token fails equality test in check_token
making token 3 2009-02-14 16:24:33 2966
2ae-e8d746b5603f6fae0fd5

the fix is to explicitly format user.last_login without microsecond

this fix should not break any currently generated tokens out there in email land

Attachments (1)

token.patch (1.3 KB) - added by crucialfelix@… 5 years ago.

Download all attachments as: .zip

Change History (5)

Changed 5 years ago by crucialfelix@…

comment:1 Changed 5 years ago by Alex

  • Description modified (diff)
  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

Please use the preview button :)

comment:2 Changed 5 years ago by jacob

  • milestone set to 1.1
  • Triage Stage changed from Unreviewed to Accepted

comment:3 Changed 5 years ago by jacob

  • Resolution set to fixed
  • Status changed from new to closed

(In [10341]) Fixed #10265: fixed a bug when generating a password reset token for a user created on the same request. Thanks, crucialfelix.

comment:4 Changed 3 years ago by jacob

  • milestone 1.1 deleted

Milestone 1.1 deleted

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.