If a password is somehow created without being hashed - say by the developer setting
user.password directly rather than via
set_password - the
check_password function wrongly assumes that the entire password is the hashing algorithm, and passes it to
get_hasher, resulting in an error message which reveals the actual password:
>>> user = User.objects.create(username='foo', password='bar')
>>> authenticate(username='foo', password='bar')
ValueError: Unknown password hashing algorithm 'bar'. Did you specify it in the PASSWORD_HASHERS setting?
The bug is in
django.contrib.auth.hashers.check_password, line 41, where it assumes that the result of
encoded.split('$', 1) will always be an algorithm, when in the above case it's the password itself.
Although the password shouldn't have been created in this way in the first place, the code in
check_password should be more intelligent about whether or not it's found an algorithm name.