#21535 closed Bug (fixed)
Password hash iterations not updating.
| Reported by: | jared_mess | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.auth | Version: | 1.6 |
| Severity: | Release blocker | Keywords: | |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | yes | UI/UX: | no |
Description
If you follow the steps in the documentation:https://docs.djangoproject.com/en/dev/topics/auth/passwords/ to change the hash iterations through a subclass, the iterations don't update.
This looks like a trivial fix.
In hashers.py, check_password(password, encoded, setter=None, preferred='default'), it calls hasher.must_update instead of preferred.must_update.
*This is my first bug report here. I've read through all the FAQ and searched the bug DB, and couldn't find anything. If I've made a mistake, broke a cardinal rule, please let me know.
Change History (3)
comment:1 by , 10 years ago
| Has patch: | set |
|---|---|
| Severity: | Normal → Release blocker |
| Triage Stage: | Unreviewed → Accepted |
comment:2 by , 10 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
Thanks for the report. This looks like a mistake on our part in a new feature in 1.6, so I'm marking it as a release blocker for 1.6.1. Regarding "broke a cardinal rule", note that since this is security related, it might have been better to report the issue as outlined here. In this case, there isn't any harm since this isn't a vulnerability but rather causes actual security to be lower than advertised.
I've added a pull request with the fix you outlined as well as an updated test.