#29652 closed Bug (fixed)
Document that Django 2.1 dropped compatbility with py-bcrypt
Reported by: | Jens-Wolfhard Schicke-Uffmann | Owned by: | nobody |
---|---|---|---|
Component: | contrib.auth | Version: | 2.1 |
Severity: | Normal | Keywords: | |
Cc: | Herbert Fortes, Jens-Wolfhard Schicke-Uffmann | Triage Stage: | Accepted |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | yes | UI/UX: | no |
Description (last modified by )
The BCryptSHA256PasswordHasher tries to decode the result of bcrypt.hashpw, which however is already a str (and not bytes).
#!/usr/bin/env python from django.contrib.auth.hashers import BCryptSHA256PasswordHasher hasher = BCryptSHA256PasswordHasher() hasher.encode('secret', hasher.salt())
results in
Traceback (most recent call last): File "issue.py", line 6, in <module> hasher.encode('secret', hasher.salt()) File "/mnt/crypt/drahflow/.virtualenvs/NDA/lib/python3.6/site-packages/django/contrib/auth/hashers.py", line 417, in encode return "%s$%s" % (self.algorithm, data.decode('ascii')) AttributeError: 'str' object has no attribute 'decode'
The bug was introduced in: https://github.com/django/django/commit/16c5a334ff3ad9d8b3cd1314562c7af20a2a7c7d
Other hashers might be affected, I didn't check.
Change History (12)
comment:1 by , 6 years ago
Description: | modified (diff) |
---|
comment:2 by , 6 years ago
Cc: | added |
---|
comment:3 by , 6 years ago
Description: | modified (diff) |
---|
comment:4 by , 6 years ago
Cc: | added |
---|
comment:5 by , 6 years ago
comment:6 by , 6 years ago
Name: py-bcrypt
Version: 0.4
Summary: bcrypt password hashing and key derivation
Home-page: https://code.google.com/p/py-bcrypt
comment:7 by , 6 years ago
Not my choice of bcrypt implementation. The project where I observed the problem is ancient and had it lying around in requirements.txt. Switching to bcrypt 3.1.4 solves the problem for me.
Not sure if it's worthwhile to support a seamless upgrade from Django 2.0.7 to Django 2.1 for the other implementation.
comment:8 by , 6 years ago
Summary: | BCryptSHA256PasswordHasher fails to encode() → Document that Django 2.1 dropped compatbility with py-bcrypt |
---|---|
Triage Stage: | Unreviewed → Accepted |
Django 1.9 also broke compatibility with py-bcrypt in #26016. At the time (3 years ago), we restored compatibility but I don't see a need to do so at this point since it looks like py-bcrypt is unmaintained. I'll document that in the release notes.
What version of bcrypt are you using? I don't see the crash with bcrypt 3.1.4 as
bcrypt.hashpw()
returns a bytestring.