Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#21535 closed Bug (fixed)

Password hash iterations not updating.

Reported by: jared_mess Owned by: nobody
Component: contrib.auth Version: 1.6
Severity: Release blocker Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no

Description

If you follow the steps in the documentation:https://docs.djangoproject.com/en/dev/topics/auth/passwords/ to change the hash iterations through a subclass, the iterations don't update.

This looks like a trivial fix.
In hashers.py, check_password(password, encoded, setter=None, preferred='default'), it calls hasher.must_update instead of preferred.must_update.

*This is my first bug report here. I've read through all the FAQ and searched the bug DB, and couldn't find anything. If I've made a mistake, broke a cardinal rule, please let me know.

Change History (3)

comment:1 Changed 3 years ago by Tim Graham

Has patch: set
Severity: NormalRelease blocker
Triage Stage: UnreviewedAccepted

Thanks for the report. This looks like a mistake on our part in a new feature in 1.6, so I'm marking it as a release blocker for 1.6.1. Regarding "broke a cardinal rule", note that since this is security related, it might have been better to report the issue as outlined here. In this case, there isn't any harm since this isn't a vulnerability but rather causes actual security to be lower than advertised.

I've added a pull request with the fix you outlined as well as an updated test.

comment:2 Changed 3 years ago by Tim Graham <timograham@…>

Resolution: fixed
Status: newclosed

In fddb0131d37109c809ec391e1a134ef1d9e442a7:

Fixed #21535 -- Fixed password hash iteration upgrade.

Thanks jared_mess for the report.

comment:3 Changed 3 years ago by Tim Graham <timograham@…>

In 2f42bbaba739079713a555b9881ca5762ee0a0dc:

[1.6.x] Fixed #21535 -- Fixed password hash iteration upgrade.

Thanks jared_mess for the report.

Backport of fddb0131d3 from master

Note: See TracTickets for help on using tickets.
Back to Top