Code

#19687 closed Bug (duplicate)

UnsaltedMD5PasswordHasher throws exception on verify() with md5$$SALT

Reported by: twig@… Owned by: nobody
Component: contrib.auth Version: 1.4
Severity: Normal Keywords: login
Cc: Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no

Description

After upgrading from v1.2.7 to 1.4.3, users had no way of logging in.

I noticed that the UnsaltedMD5PasswordHasher.verify() was passing the wrong arguments to constant_time_compare(). The arg "encoded" includes the algorithm and prefix "md5$$", so we need to strip it out first.

Should change:

return constant_time_compare(encoded, encoded_2

To:

return constant_time_compare(encoded[5:], encoded_2)

Attachments (0)

Change History (2)

comment:1 Changed 15 months ago by twig@…

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

I've made a pull request at https://github.com/django/django/pull/681

comment:2 Changed 15 months ago by claudep

  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #18144

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.