Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#31719 closed Bug (invalid)

Remaining data.decode('ascii') @ hashers.py, but data is a str

Reported by: Marcel Nogueira d' Eurydice Owned by: nobody
Component: contrib.auth Version: 3.0
Severity: Normal Keywords: string, decode, python3
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

BCryptSHA256PasswordHasher class method enconde tries to decode data, but data is a str. In Python3 a str instance does not have a decode method.

def encode(self, password, salt):
        bcrypt = self._load_library()
        password = password.encode()
        # Hash the password prior to using bcrypt to prevent password
        # truncation as described in #20138.
        if self.digest is not None:
            # Use binascii.hexlify() because a hex encoded bytestring is str.
            password = binascii.hexlify(self.digest(password).digest())

        data = bcrypt.hashpw(password, salt)
        return "%s$%s" % (self.algorithm, data.decode('ascii'))

the return statement should be

        return "%s$%s" % (self.algorithm, data)

Change History (6)

comment:1 by Simon Charette, 4 years ago

Resolution: invalid
Status: newclosed

bcrypt.hashpw returns bytes (and not str) which do have a .decode method and it's usage is necessary for the string interpolation into "%s$%s" to work properly.

>>> import bcrypt
>>> type(bcrypt.hashpw(b'password', bcrypt.gensalt()))
bytes
Version 0, edited 4 years ago by Simon Charette (next)

comment:2 by naohide, 4 years ago

I'm facing the same issue. And tried to check type but I got str. I don't know why though..

import bcrypt
type(bcrypt.hashpw(b'password', bcrypt.gensalt()))
<class 'str'>
Last edited 4 years ago by Mariusz Felisiak (previous) (diff)

comment:3 by Mariusz Felisiak, 4 years ago

naohide, probably because you're using Python 2 which is not supported.

in reply to:  3 comment:4 by naohide, 4 years ago

Replying to felixxm:

naohide, probably because you're using Python 2 which is not supported.

no, I'm using Python3.8.5.

Last edited 4 years ago by naohide (previous) (diff)

comment:5 by naohide, 4 years ago

I checked _bcrypt.py and this might be the reason. I'm using https://pypi.org/project/py-bcrypt/ and called this package's bcrypt.

What do you guys use normally?


# encoding: utf-8
# module bcrypt._bcrypt
# from /.virtualenvs/project/lib/python3.8/site-packages/bcrypt/_bcrypt.cpython-38-darwin.so
# by generator 1.145
""" Internal module used by bcrypt. """

Last edited 4 years ago by naohide (previous) (diff)

in reply to:  5 comment:6 by naohide, 4 years ago

Replying to naohide:

I checked _bcrypt.py and this might be the reason. I'm using https://pypi.org/project/py-bcrypt/ and called this package's bcrypt.

What do you guys use normally?


# encoding: utf-8
# module bcrypt._bcrypt
# from /.virtualenvs/project/lib/python3.8/site-packages/bcrypt/_bcrypt.cpython-38-darwin.so
# by generator 1.145
""" Internal module used by bcrypt. """

got it. I changed py-bcrypt to https://pypi.org/project/bcrypt/ and worked fine for me!

Note: See TracTickets for help on using tickets.
Back to Top