Opened 12 years ago

Closed 12 years ago

#17777 closed Bug (fixed)

MD5PasswordHasher is not using salt

Reported by: gunnar@… Owned by: Paul McMillan
Component: contrib.auth Version: 1.4-beta-1
Severity: Release blocker Keywords: MD5PasswordHasher MD5 salt login
Cc: mbt@… Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Django 1.3.1:
In django.contrib.auth.models.py line 32 md5 passwort hash is calculated with salt.

 return md5_constructor(salt + raw_password).hexdigest()

Django 1.4 beta 1 uses md5 without salt:

 return hashlib.md5(password).hexdigest()

Verification of passwords from users of Django 1.3.1 with md5 password with salt is failing.
Therefore this users can't login anymore.

Change History (6)

comment:1 by Michael B. Trausch, 12 years ago

Cc: mbt@… added

comment:2 by Aymeric Augustin, 12 years ago

Owner: changed from nobody to Paul McMillan
Triage Stage: UnreviewedAccepted

comment:3 by Paul McMillan, 12 years ago

Type: UncategorizedBug

This is related to the fact that we actually had 2 separate forms of MD5 hashing historically, and the md5 hasher in the patch only deals with one of them:

https://code.djangoproject.com/browser/django/branches/releases/1.3.X/django/contrib/auth/models.py#L268

https://code.djangoproject.com/browser/django/branches/releases/1.3.X/django/contrib/auth/models.py#L31

comment:4 by Paul McMillan, 12 years ago

Resolution: fixed
Status: newclosed

In [17604]:

Fixes #17777 and makes tests run again.

Adds a salted MD5 hasher for backwards compatibility.
Thanks gunnar@… for the report.

Also fixes a bug preventing the hasher tests from being run during
contrib tests.

comment:5 by Ronkay János Péter, 12 years ago

Resolution: fixed
Status: closedreopened

ReadOnlyPasswordHashWidget also needs to be changed to use unsalted_md5 here:

https://code.djangoproject.com/browser/django/trunk/django/contrib/auth/forms.py#L32

comment:6 by Paul McMillan, 12 years ago

Resolution: fixed
Status: reopenedclosed

In [17681]:

Fixed #17777. Unsalted MD5 display widget correction.

Note: See TracTickets for help on using tickets.
Back to Top