Code

Opened 7 years ago

Closed 7 years ago

#4170 closed (wontfix)

Admin password can be set to empty

Reported by: bruno@… Owned by: adrian
Component: contrib.admin Version: master
Severity: Keywords: password admin user auth
Cc: Triage Stage: Design decision needed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

Following this article: http://coderseye.com/2007/howto-reset-the-admin-password-in-django.html it appears that you can use the User model to set any password (including admin) to an empty string without a error message.

$ sudo ./manage.py shell
Python 2.4.3 (#2, Oct  6 2006, 07:52:30)
[GCC 4.0.3 (Ubuntu 4.0.3-1ubuntu5)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
(InteractiveConsole)
>>> from django.contrib.auth.models import User
>>> users = User.objects.all()
>>> users
[<User: bruno>]
>>> users[0].set_password('')
>>> users[0].save()
>>>

Worst is, if you connect to the admin interface, it lets you in using an empty password.

Attachments (0)

Change History (4)

comment:1 Changed 7 years ago by Simon G. <dev@…>

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Triage Stage changed from Unreviewed to Design decision needed

We should probably fix the empty-password-allowing-login issue in admin at least.

comment:2 Changed 7 years ago by ubernostrum

I'm not sure there's actually a bug here; Django lets you set your password to anything you like, and while this may sound harsh, it's up to a user not to set a really bad password.

comment:3 Changed 7 years ago by ubernostrum

(and the reason why the empty-string password works, btw, is that the DB ends up storing the salted SHA1 hash of an empty string, not the empty string itself)

comment:4 Changed 7 years ago by Simon G. <dev@…>

  • Resolution set to wontfix
  • Status changed from new to closed

Hmm.. I can definitely see both points of view here.

It just feels *wrong* to allow an empty password ever. *However*, the admin site does prevent you from changing your password to an empty one (not directly though - you get a "this field is required" validation error). The only way to change this to an empty password is via the User model (either via set_password or directly modifying it), and if a malicious user has access to that, then you have bigger issues to deal with.

I've marked this as wontfix, but if anyone else has anything to add, please jump in.

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.