Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#27010 closed Cleanup/optimization (fixed)

Argon2PasswordHasher.encode() decodes underlying hash as UTF-8 instead of ASCII

Reported by: Chris Foresman Owned by: nobody
Component: contrib.auth Version: 1.10
Severity: Normal Keywords: argon2, password, hasher
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

The new Argon2PasswordHasher returns a unicode object in Python 2.7x, though argon2 itself returns only ASCII chars in its hash. Practically speaking this doesn't seem to cause a problem saving this value to a CharField, but for consistency's sake it probably needs updated to decode('ascii') instead of decode('utf-8') as other password hashers do.

Compare:
PBKDF2: https://github.com/django/django/blob/1.10/django/contrib/auth/hashers.py#L259
Argon2: https://github.com/django/django/blob/1.10/django/contrib/auth/hashers.py#L326

See also argon2-cffi: https://github.com/hynek/argon2_cffi/blob/master/src/argon2/_password_hasher.py#L106

Change History (5)

comment:1 by Chris Foresman, 8 years ago

Summary: Argon2PassowrdHasher.encode() returns unicode instead of asciiArgon2PasswordHasher.encode() returns unicode instead of ascii

comment:2 by Carl Meyer, 8 years ago

Summary: Argon2PasswordHasher.encode() returns unicode instead of asciiArgon2PasswordHasher.encode() decodes underlying hash as UTF-8 instead of ASCII
Triage Stage: UnreviewedAccepted

To be clear, .decode('utf-8') and .decode('ascii') both return a unicode object (in Py2, str in Py3). The only difference is in how the bytes are interpreted when decoding. Decoding as UTF-8 expects non-ASCII characters in the bytestring to be encoded as UTF-8, decoding as ASCII will choke on any non-ASCII characters in the bytestring.

Given that the underlying hasher will only generate strings containing ASCII characters anyway, there is zero functional difference here between .decode('utf-8') and .decode('ascii'). It's still probably worth switching to the latter, for better clarity (to avoid people wondering what in the world the Argon2 hasher needs UTF-8 for).

comment:3 by Claude Paroz, 8 years ago

Type: BugCleanup/optimization

comment:4 by GitHub <noreply@…>, 8 years ago

Resolution: fixed
Status: newclosed

In 967aa7f6:

Fixed #27010 -- Made Argon2PasswordHasher decode with ASCII.

The underlying hasher only generates strings containing ASCII
characters so this is merely a cosmetic change.

comment:5 by Tim Graham <timograham@…>, 8 years ago

In 4a0c9e0:

[1.10.x] Fixed #27010 -- Made Argon2PasswordHasher decode with ASCII.

The underlying hasher only generates strings containing ASCII
characters so this is merely a cosmetic change.
Backport of 967aa7f6cc720b11e38b7e0cbeffc2c95c64fa05 from master

Note: See TracTickets for help on using tickets.
Back to Top