Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#29652 closed Bug (fixed)

Document that Django 2.1 dropped compatbility with py-bcrypt

Reported by: Jens-Wolfhard Schicke-Uffmann Owned by: nobody
Component: contrib.auth Version: 2.1
Severity: Normal Keywords:
Cc: Herbert Fortes, Jens-Wolfhard Schicke-Uffmann Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no

Description (last modified by Jens-Wolfhard Schicke-Uffmann)

The BCryptSHA256PasswordHasher tries to decode the result of bcrypt.hashpw, which however is already a str (and not bytes).

#!/usr/bin/env python

from django.contrib.auth.hashers import BCryptSHA256PasswordHasher

hasher = BCryptSHA256PasswordHasher()
hasher.encode('secret', hasher.salt())

results in

Traceback (most recent call last):
  File "issue.py", line 6, in <module>
    hasher.encode('secret', hasher.salt())
  File "/mnt/crypt/drahflow/.virtualenvs/NDA/lib/python3.6/site-packages/django/contrib/auth/hashers.py", line 417, in encode
    return "%s$%s" % (self.algorithm, data.decode('ascii'))
AttributeError: 'str' object has no attribute 'decode'

The bug was introduced in: https://github.com/django/django/commit/16c5a334ff3ad9d8b3cd1314562c7af20a2a7c7d
Other hashers might be affected, I didn't check.

Change History (12)

comment:1 Changed 3 years ago by Jens-Wolfhard Schicke-Uffmann

Description: modified (diff)

comment:2 Changed 3 years ago by Herbert Fortes

Cc: Herbert Fortes added

comment:3 Changed 3 years ago by Jens-Wolfhard Schicke-Uffmann

Description: modified (diff)

comment:4 Changed 3 years ago by Jens-Wolfhard Schicke-Uffmann

Cc: Jens-Wolfhard Schicke-Uffmann added

comment:5 Changed 3 years ago by Tim Graham

What version of bcrypt are you using? I don't see the crash with bcrypt 3.1.4 as bcrypt.hashpw() returns a bytestring.

comment:6 Changed 3 years ago by Jens-Wolfhard Schicke-Uffmann

Name: py-bcrypt
Version: 0.4
Summary: bcrypt password hashing and key derivation
Home-page: https://code.google.com/p/py-bcrypt

comment:7 Changed 3 years ago by Jens-Wolfhard Schicke-Uffmann

Not my choice of bcrypt implementation. The project where I observed the problem is ancient and had it lying around in requirements.txt. Switching to bcrypt 3.1.4 solves the problem for me.

Not sure if it's worthwhile to support a seamless upgrade from Django 2.0.7 to Django 2.1 for the other implementation.

comment:8 Changed 3 years ago by Tim Graham

Summary: BCryptSHA256PasswordHasher fails to encode()Document that Django 2.1 dropped compatbility with py-bcrypt
Triage Stage: UnreviewedAccepted

Django 1.9 also broke compatibility with py-bcrypt in #26016. At the time (3 years ago), we restored compatibility but I don't see a need to do so at this point since it looks like py-bcrypt is unmaintained. I'll document that in the release notes.

comment:9 Changed 3 years ago by Tim Graham <timograham@…>

Resolution: fixed
Status: newclosed

In 2fa3671:

Fixed #29652 -- Doc'd removal of py-bcrypt compatibility.

comment:10 Changed 3 years ago by Tim Graham <timograham@…>

In 548a2d3c:

[2.1.x] Fixed #29652 -- Doc'd removal of py-bcrypt compatibility.

Backport of 2fa36719a8fb39f2c2162f9e6430db00c6bc8412 from master

comment:11 Changed 3 years ago by Tim Graham <timograham@…>

In d0928d64:

Refs #29652 -- Fixed typo in docs/releases/2.1.txt.

comment:12 Changed 3 years ago by Tim Graham <timograham@…>

In 42f194b:

[2.1.x] Refs #29652 -- Fixed typo in docs/releases/2.1.txt.

Backport of d0928d6454d0b649663820e45d915016a2d9b001 from master

Note: See TracTickets for help on using tickets.
Back to Top