Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Revert "[1.4.x] Ensure that passwords are never long enough for a DoS."

This reverts commit 3f3d887.

This fix is no longer necessary, our pbkdf2 (see next commit) implementation
no longer rehashes the password every iteration.
  • Loading branch information...
commit 0317edf0c7779902d49c6efb8242af61e5569cde 1 parent ca77e38
@apollo13 apollo13 authored
View
51 django/contrib/auth/forms.py
@@ -8,10 +8,7 @@
from django.contrib.auth import authenticate
from django.contrib.auth.models import User
-from django.contrib.auth.hashers import (
- MAXIMUM_PASSWORD_LENGTH, UNUSABLE_PASSWORD,
- is_password_usable, get_hasher
-)
+from django.contrib.auth.hashers import UNUSABLE_PASSWORD, is_password_usable, get_hasher
from django.contrib.auth.tokens import default_token_generator
from django.contrib.sites.models import get_current_site
@@ -73,11 +70,10 @@ class UserCreationForm(forms.ModelForm):
'invalid': _("This value may contain only letters, numbers and "
"@/./+/-/_ characters.")})
password1 = forms.CharField(label=_("Password"),
- widget=forms.PasswordInput, max_length=MAXIMUM_PASSWORD_LENGTH)
+ widget=forms.PasswordInput)
password2 = forms.CharField(label=_("Password confirmation"),
widget=forms.PasswordInput,
- max_length=MAXIMUM_PASSWORD_LENGTH,
- help_text=_("Enter the same password as above, for verification."))
+ help_text = _("Enter the same password as above, for verification."))
class Meta:
model = User
@@ -141,11 +137,7 @@ class AuthenticationForm(forms.Form):
username/password logins.
"""
username = forms.CharField(label=_("Username"), max_length=30)
- password = forms.CharField(
- label=_("Password"),
- widget=forms.PasswordInput,
- max_length=MAXIMUM_PASSWORD_LENGTH,
- )
+ password = forms.CharField(label=_("Password"), widget=forms.PasswordInput)
error_messages = {
'invalid_login': _("Please enter a correct username and password. "
@@ -258,16 +250,10 @@ class SetPasswordForm(forms.Form):
error_messages = {
'password_mismatch': _("The two password fields didn't match."),
}
- new_password1 = forms.CharField(
- label=_("New password"),
- widget=forms.PasswordInput,
- max_length=MAXIMUM_PASSWORD_LENGTH,
- )
- new_password2 = forms.CharField(
- label=_("New password confirmation"),
- widget=forms.PasswordInput,
- max_length=MAXIMUM_PASSWORD_LENGTH,
- )
+ new_password1 = forms.CharField(label=_("New password"),
+ widget=forms.PasswordInput)
+ new_password2 = forms.CharField(label=_("New password confirmation"),
+ widget=forms.PasswordInput)
def __init__(self, user, *args, **kwargs):
self.user = user
@@ -298,11 +284,8 @@ class PasswordChangeForm(SetPasswordForm):
'password_incorrect': _("Your old password was entered incorrectly. "
"Please enter it again."),
})
- old_password = forms.CharField(
- label=_("Old password"),
- widget=forms.PasswordInput,
- max_length=MAXIMUM_PASSWORD_LENGTH,
- )
+ old_password = forms.CharField(label=_("Old password"),
+ widget=forms.PasswordInput)
def clean_old_password(self):
"""
@@ -324,16 +307,10 @@ class AdminPasswordChangeForm(forms.Form):
error_messages = {
'password_mismatch': _("The two password fields didn't match."),
}
- password1 = forms.CharField(
- label=_("Password"),
- widget=forms.PasswordInput,
- max_length=MAXIMUM_PASSWORD_LENGTH,
- )
- password2 = forms.CharField(
- label=_("Password (again)"),
- widget=forms.PasswordInput,
- max_length=MAXIMUM_PASSWORD_LENGTH,
- )
+ password1 = forms.CharField(label=_("Password"),
+ widget=forms.PasswordInput)
+ password2 = forms.CharField(label=_("Password (again)"),
+ widget=forms.PasswordInput)
def __init__(self, user, *args, **kwargs):
self.user = user
View
29 django/contrib/auth/hashers.py
@@ -1,4 +1,3 @@
-import functools
import hashlib
from django.conf import settings
@@ -12,23 +11,10 @@
UNUSABLE_PASSWORD = '!' # This will never be a valid encoded hash
-MAXIMUM_PASSWORD_LENGTH = 4096 # The maximum length a password can be to prevent DoS
HASHERS = None # lazily loaded from PASSWORD_HASHERS
PREFERRED_HASHER = None # defaults to first item in PASSWORD_HASHERS
-def password_max_length(max_length):
- def inner(fn):
- @functools.wraps(fn)
- def wrapper(self, password, *args, **kwargs):
- if len(password) > max_length:
- raise ValueError("Invalid password; Must be less than or equal"
- " to %d bytes" % max_length)
- return fn(self, password, *args, **kwargs)
- return wrapper
- return inner
-
-
def is_password_usable(encoded):
return (encoded is not None and encoded != UNUSABLE_PASSWORD)
@@ -216,7 +202,6 @@ class PBKDF2PasswordHasher(BasePasswordHasher):
iterations = 10000
digest = hashlib.sha256
- @password_max_length(MAXIMUM_PASSWORD_LENGTH)
def encode(self, password, salt, iterations=None):
assert password
assert salt and '$' not in salt
@@ -226,7 +211,6 @@ def encode(self, password, salt, iterations=None):
hash = hash.encode('base64').strip()
return "%s$%d$%s$%s" % (self.algorithm, iterations, salt, hash)
- @password_max_length(MAXIMUM_PASSWORD_LENGTH)
def verify(self, password, encoded):
algorithm, iterations, salt, hash = encoded.split('$', 3)
assert algorithm == self.algorithm
@@ -272,13 +256,11 @@ def salt(self):
bcrypt = self._load_library()
return bcrypt.gensalt(self.rounds)
- @password_max_length(MAXIMUM_PASSWORD_LENGTH)
def encode(self, password, salt):
bcrypt = self._load_library()
data = bcrypt.hashpw(password, salt)
return "%s$%s" % (self.algorithm, data)
- @password_max_length(MAXIMUM_PASSWORD_LENGTH)
def verify(self, password, encoded):
algorithm, data = encoded.split('$', 1)
assert algorithm == self.algorithm
@@ -303,14 +285,12 @@ class SHA1PasswordHasher(BasePasswordHasher):
"""
algorithm = "sha1"
- @password_max_length(MAXIMUM_PASSWORD_LENGTH)
def encode(self, password, salt):
assert password
assert salt and '$' not in salt
hash = hashlib.sha1(salt + password).hexdigest()
return "%s$%s$%s" % (self.algorithm, salt, hash)
- @password_max_length(MAXIMUM_PASSWORD_LENGTH)
def verify(self, password, encoded):
algorithm, salt, hash = encoded.split('$', 2)
assert algorithm == self.algorithm
@@ -333,14 +313,12 @@ class MD5PasswordHasher(BasePasswordHasher):
"""
algorithm = "md5"
- @password_max_length(MAXIMUM_PASSWORD_LENGTH)
def encode(self, password, salt):
assert password
assert salt and '$' not in salt
hash = hashlib.md5(salt + password).hexdigest()
return "%s$%s$%s" % (self.algorithm, salt, hash)
- @password_max_length(MAXIMUM_PASSWORD_LENGTH)
def verify(self, password, encoded):
algorithm, salt, hash = encoded.split('$', 2)
assert algorithm == self.algorithm
@@ -371,13 +349,11 @@ class UnsaltedSHA1PasswordHasher(BasePasswordHasher):
def salt(self):
return ''
- @password_max_length(MAXIMUM_PASSWORD_LENGTH)
def encode(self, password, salt):
assert salt == ''
hash = hashlib.sha1(password).hexdigest()
return 'sha1$$%s' % hash
- @password_max_length(MAXIMUM_PASSWORD_LENGTH)
def verify(self, password, encoded):
encoded_2 = self.encode(password, '')
return constant_time_compare(encoded, encoded_2)
@@ -407,12 +383,10 @@ class UnsaltedMD5PasswordHasher(BasePasswordHasher):
def salt(self):
return ''
- @password_max_length(MAXIMUM_PASSWORD_LENGTH)
def encode(self, password, salt):
assert salt == ''
return hashlib.md5(password).hexdigest()
- @password_max_length(MAXIMUM_PASSWORD_LENGTH)
def verify(self, password, encoded):
if len(encoded) == 37 and encoded.startswith('md5$$'):
encoded = encoded[5:]
@@ -438,7 +412,6 @@ class CryptPasswordHasher(BasePasswordHasher):
def salt(self):
return get_random_string(2)
- @password_max_length(MAXIMUM_PASSWORD_LENGTH)
def encode(self, password, salt):
crypt = self._load_library()
assert len(salt) == 2
@@ -446,7 +419,6 @@ def encode(self, password, salt):
# we don't need to store the salt, but Django used to do this
return "%s$%s$%s" % (self.algorithm, '', data)
- @password_max_length(MAXIMUM_PASSWORD_LENGTH)
def verify(self, password, encoded):
crypt = self._load_library()
algorithm, salt, data = encoded.split('$', 2)
@@ -461,3 +433,4 @@ def safe_summary(self, encoded):
(_('salt'), salt),
(_('hash'), mask_hash(data, show=3)),
])
+
View
72 django/contrib/auth/tests/hashers.py
@@ -1,8 +1,7 @@
from django.conf.global_settings import PASSWORD_HASHERS as default_hashers
from django.contrib.auth.hashers import (is_password_usable,
check_password, make_password, PBKDF2PasswordHasher, load_hashers,
- PBKDF2SHA1PasswordHasher, get_hasher, UNUSABLE_PASSWORD,
- MAXIMUM_PASSWORD_LENGTH, password_max_length)
+ PBKDF2SHA1PasswordHasher, get_hasher, UNUSABLE_PASSWORD)
from django.utils import unittest
from django.utils.unittest import skipUnless
from django.test.utils import override_settings
@@ -29,12 +28,6 @@ def test_simple(self):
self.assertTrue(is_password_usable(encoded))
self.assertTrue(check_password(u'letmein', encoded))
self.assertFalse(check_password('letmeinz', encoded))
- # Long password
- self.assertRaises(
- ValueError,
- make_password,
- "1" * (MAXIMUM_PASSWORD_LENGTH + 1),
- )
def test_pkbdf2(self):
encoded = make_password('letmein', 'seasalt', 'pbkdf2_sha256')
@@ -43,14 +36,6 @@ def test_pkbdf2(self):
self.assertTrue(is_password_usable(encoded))
self.assertTrue(check_password(u'letmein', encoded))
self.assertFalse(check_password('letmeinz', encoded))
- # Long password
- self.assertRaises(
- ValueError,
- make_password,
- "1" * (MAXIMUM_PASSWORD_LENGTH + 1),
- "seasalt",
- "pbkdf2_sha256",
- )
def test_sha1(self):
encoded = make_password('letmein', 'seasalt', 'sha1')
@@ -59,14 +44,6 @@ def test_sha1(self):
self.assertTrue(is_password_usable(encoded))
self.assertTrue(check_password(u'letmein', encoded))
self.assertFalse(check_password('letmeinz', encoded))
- # Long password
- self.assertRaises(
- ValueError,
- make_password,
- "1" * (MAXIMUM_PASSWORD_LENGTH + 1),
- "seasalt",
- "sha1",
- )
def test_md5(self):
encoded = make_password('letmein', 'seasalt', 'md5')
@@ -75,14 +52,6 @@ def test_md5(self):
self.assertTrue(is_password_usable(encoded))
self.assertTrue(check_password(u'letmein', encoded))
self.assertFalse(check_password('letmeinz', encoded))
- # Long password
- self.assertRaises(
- ValueError,
- make_password,
- "1" * (MAXIMUM_PASSWORD_LENGTH + 1),
- "seasalt",
- "md5",
- )
def test_unsalted_md5(self):
encoded = make_password('letmein', '', 'unsalted_md5')
@@ -95,14 +64,6 @@ def test_unsalted_md5(self):
self.assertTrue(is_password_usable(alt_encoded))
self.assertTrue(check_password(u'letmein', alt_encoded))
self.assertFalse(check_password('letmeinz', alt_encoded))
- # Long password
- self.assertRaises(
- ValueError,
- make_password,
- "1" * (MAXIMUM_PASSWORD_LENGTH + 1),
- "",
- "unsalted_md5",
- )
def test_unsalted_sha1(self):
encoded = make_password('letmein', '', 'unsalted_sha1')
@@ -113,14 +74,6 @@ def test_unsalted_sha1(self):
# Raw SHA1 isn't acceptable
alt_encoded = encoded[6:]
self.assertRaises(ValueError, check_password, 'letmein', alt_encoded)
- # Long password
- self.assertRaises(
- ValueError,
- make_password,
- "1" * (MAXIMUM_PASSWORD_LENGTH + 1),
- "",
- "unslated_sha1",
- )
@skipUnless(crypt, "no crypt module to generate password.")
def test_crypt(self):
@@ -129,14 +82,6 @@ def test_crypt(self):
self.assertTrue(is_password_usable(encoded))
self.assertTrue(check_password(u'letmein', encoded))
self.assertFalse(check_password('letmeinz', encoded))
- # Long password
- self.assertRaises(
- ValueError,
- make_password,
- "1" * (MAXIMUM_PASSWORD_LENGTH + 1),
- "seasalt",
- "crypt",
- )
@skipUnless(bcrypt, "py-bcrypt not installed")
def test_bcrypt(self):
@@ -145,13 +90,6 @@ def test_bcrypt(self):
self.assertTrue(encoded.startswith('bcrypt$'))
self.assertTrue(check_password(u'letmein', encoded))
self.assertFalse(check_password('letmeinz', encoded))
- # Long password
- self.assertRaises(
- ValueError,
- make_password,
- "1" * (MAXIMUM_PASSWORD_LENGTH + 1),
- hasher="bcrypt",
- )
def test_unusable(self):
encoded = make_password(None)
@@ -167,14 +105,6 @@ def doit():
make_password('letmein', hasher='lolcat')
self.assertRaises(ValueError, doit)
- def test_max_password_length_decorator(self):
- @password_max_length(10)
- def encode(s, password, salt):
- return True
-
- self.assertTrue(encode(None, "1234", "1234"))
- self.assertRaises(ValueError, encode, None, "1234567890A", "1234")
-
def test_low_level_pkbdf2(self):
hasher = PBKDF2PasswordHasher()
encoded = hasher.encode('letmein', 'seasalt')
Please sign in to comment.
Something went wrong with that request. Please try again.