Opened 21 months ago

Closed 21 months ago

Last modified 21 months ago

#21535 closed Bug (fixed)

Password hash iterations not updating.

Reported by: jared_mess Owned by: nobody
Component: contrib.auth Version: 1.6
Severity: Release blocker Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no

Description

If you follow the steps in the documentation:https://docs.djangoproject.com/en/dev/topics/auth/passwords/ to change the hash iterations through a subclass, the iterations don't update.

This looks like a trivial fix.
In hashers.py, check_password(password, encoded, setter=None, preferred='default'), it calls hasher.must_update instead of preferred.must_update.

*This is my first bug report here. I've read through all the FAQ and searched the bug DB, and couldn't find anything. If I've made a mistake, broke a cardinal rule, please let me know.

Change History (3)

comment:1 Changed 21 months ago by timo

  • Has patch set
  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Severity changed from Normal to Release blocker
  • Triage Stage changed from Unreviewed to Accepted

Thanks for the report. This looks like a mistake on our part in a new feature in 1.6, so I'm marking it as a release blocker for 1.6.1. Regarding "broke a cardinal rule", note that since this is security related, it might have been better to report the issue as outlined here. In this case, there isn't any harm since this isn't a vulnerability but rather causes actual security to be lower than advertised.

I've added a pull request with the fix you outlined as well as an updated test.

comment:2 Changed 21 months ago by Tim Graham <timograham@…>

  • Resolution set to fixed
  • Status changed from new to closed

In fddb0131d37109c809ec391e1a134ef1d9e442a7:

Fixed #21535 -- Fixed password hash iteration upgrade.

Thanks jared_mess for the report.

comment:3 Changed 21 months ago by Tim Graham <timograham@…>

In 2f42bbaba739079713a555b9881ca5762ee0a0dc:

[1.6.x] Fixed #21535 -- Fixed password hash iteration upgrade.

Thanks jared_mess for the report.

Backport of fddb0131d3 from master

Note: See TracTickets for help on using tickets.
Back to Top