Raw password echoed on authentication if no hashing used
|Reported by:||danielr||Owned by:||Claude Paroz <claude@…>|
|Cc:||liokmkoil@…, moritz.sichert@…||Triage Stage:||Accepted|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
If a password is somehow created without being hashed - say by the developer setting user.password directly rather than via set_password - the check_password function wrongly assumes that the entire password is the hashing algorithm, and passes it to get_hasher, resulting in an error message which reveals the actual password:
>>> user = User.objects.create(username='foo', password='bar') >>> authenticate(username='foo', password='bar') ... ValueError: Unknown password hashing algorithm 'bar'. Did you specify it in the PASSWORD_HASHERS setting?
The bug is in django.contrib.auth.hashers.check_password, line 41, where it assumes that the result of encoded.split('$', 1) will always be an algorithm, when in the above case it's the password itself.
Although the password shouldn't have been created in this way in the first place, the code in check_password should be more intelligent about whether or not it's found an algorithm name.
Change History (17)
comment:1 Changed 3 years ago by Li Meng <liokmkoil@…>
- Cc liokmkoil@… added
- Needs documentation unset
- Needs tests unset
- Patch needs improvement unset
comment:3 Changed 3 years ago by moritzs
- Owner changed from nobody to moritzs
- Status changed from new to assigned
comment:4 Changed 3 years ago by moritzs
- Cc moritzs added
- Has patch set