id summary reporter owner description type status component version severity resolution keywords cc stage has_patch needs_docs needs_tests needs_better_patch easy ui_ux 19799 PASSWORD_HASHERS attempt to look up empty algorithm in certain cases Walter Doekes nobody "Hi, the Django 1.4+ `PASSWORD_HASHERS` lookup conflicts with `$1$$` (md5crypt) style hashes. I'm using Modoboa which uses it's own auth first and falls back to Django auth if passwords don't match. For the aforementioned hash the `algorithm` detected becomes `''` (the empty string). 1.4: {{{ if len(encoded) == 32 and '$' not in encoded: hasher = get_hasher('unsalted_md5') else: algorithm = encoded.split('$', 1)[0] hasher = get_hasher(algorithm) }}} master: {{{ if ((len(encoded) == 32 and '$' not in encoded) or (len(encoded) == 37 and encoded.startswith('md5$$'))): algorithm = 'unsalted_md5' else: algorithm = encoded.split('$', 1)[0] }}} That yields: `ValueError: Unknown password hashing algorithm ''. Did you specify it in the PASSWORD_HASHERS setting?` I thought I could fix that by adding a custom hasher which always returns False, but that fails because I'm not allowed to use the empty name for `algorithm`. `ImproperlyConfigured: hasher doesn't specify an algorithm name: modoboa.auth.hashers.NoAlgorithmHasher` To fix this, I either need it to refuse the empty algorithm (fix1.patch), or allow the empty algorithm (fix2.patch, where I'll have my bogus hasher return false later on). In both cases the fixes are trivial. [[br]] As an aside, the current `if not getattr(hasher, 'algorithm')` looks like a typo. I'd go for either `if not hasher.algorithm` or `if not getattr(hasher, 'algorithm', None)`. {{{ if not getattr(hasher, 'algorithm'): raise ImproperlyConfigured(""hasher doesn't specify an "" ""algorithm name: %s"" % backend) }}} [[br]] Kind regards,[[br]] Walter Doekes[[br]] OSSO B.V." New feature closed contrib.auth 1.4 Normal wontfix Walter Doekes Design decision needed 1 0 0 0 0 0