Opened 11 years ago

Closed 11 years ago

Last modified 11 years ago

#21535 closed Bug (fixed)

Password hash iterations not updating.

Reported by: jared_mess Owned by: nobody
Component: contrib.auth Version: 1.6
Severity: Release blocker Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no

Description

If you follow the steps in the documentation:https://docs.djangoproject.com/en/dev/topics/auth/passwords/ to change the hash iterations through a subclass, the iterations don't update.

This looks like a trivial fix.
In hashers.py, check_password(password, encoded, setter=None, preferred='default'), it calls hasher.must_update instead of preferred.must_update.

*This is my first bug report here. I've read through all the FAQ and searched the bug DB, and couldn't find anything. If I've made a mistake, broke a cardinal rule, please let me know.

Change History (3)

comment:1 by Tim Graham, 11 years ago

Has patch: set
Severity: NormalRelease blocker
Triage Stage: UnreviewedAccepted

Thanks for the report. This looks like a mistake on our part in a new feature in 1.6, so I'm marking it as a release blocker for 1.6.1. Regarding "broke a cardinal rule", note that since this is security related, it might have been better to report the issue as outlined here. In this case, there isn't any harm since this isn't a vulnerability but rather causes actual security to be lower than advertised.

I've added a pull request with the fix you outlined as well as an updated test.

comment:2 by Tim Graham <timograham@…>, 11 years ago

Resolution: fixed
Status: newclosed

In fddb0131d37109c809ec391e1a134ef1d9e442a7:

Fixed #21535 -- Fixed password hash iteration upgrade.

Thanks jared_mess for the report.

comment:3 by Tim Graham <timograham@…>, 11 years ago

In 2f42bbaba739079713a555b9881ca5762ee0a0dc:

[1.6.x] Fixed #21535 -- Fixed password hash iteration upgrade.

Thanks jared_mess for the report.

Backport of fddb0131d3 from master

Note: See TracTickets for help on using tickets.
Back to Top