Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Revert "[1.5.x] Ensure that passwords are never long enough for a DoS."

This reverts commit 22b74fa.

This fix is no longer necessary, our pbkdf2 (see next commit) implementation
no longer rehashes the password every iteration.
  • Loading branch information...
commit 1cc572a071003583f15cdbca2f5b4d910ebd3504 1 parent de8715c
Florian Apolloner authored September 24, 2013
48  django/contrib/auth/forms.py
@@ -12,9 +12,7 @@
12 12
 
13 13
 from django.contrib.auth import authenticate, get_user_model
14 14
 from django.contrib.auth.models import User
15  
-from django.contrib.auth.hashers import (
16  
-    MAXIMUM_PASSWORD_LENGTH, UNUSABLE_PASSWORD, identify_hasher,
17  
-)
  15
+from django.contrib.auth.hashers import UNUSABLE_PASSWORD, identify_hasher
18 16
 from django.contrib.auth.tokens import default_token_generator
19 17
 from django.contrib.sites.models import get_current_site
20 18
 
@@ -77,10 +75,9 @@ class UserCreationForm(forms.ModelForm):
77 75
             'invalid': _("This value may contain only letters, numbers and "
78 76
                          "@/./+/-/_ characters.")})
79 77
     password1 = forms.CharField(label=_("Password"),
80  
-        widget=forms.PasswordInput, max_length=MAXIMUM_PASSWORD_LENGTH)
  78
+        widget=forms.PasswordInput)
81 79
     password2 = forms.CharField(label=_("Password confirmation"),
82 80
         widget=forms.PasswordInput,
83  
-        max_length=MAXIMUM_PASSWORD_LENGTH,
84 81
         help_text=_("Enter the same password as above, for verification."))
85 82
 
86 83
     class Meta:
@@ -148,11 +145,7 @@ class AuthenticationForm(forms.Form):
148 145
     username/password logins.
149 146
     """
150 147
     username = forms.CharField(max_length=254)
151  
-    password = forms.CharField(
152  
-        label=_("Password"),
153  
-        widget=forms.PasswordInput,
154  
-        max_length=MAXIMUM_PASSWORD_LENGTH,
155  
-    )
  148
+    password = forms.CharField(label=_("Password"), widget=forms.PasswordInput)
156 149
 
157 150
     error_messages = {
158 151
         'invalid_login': _("Please enter a correct %(username)s and password. "
@@ -276,16 +269,10 @@ class SetPasswordForm(forms.Form):
276 269
     error_messages = {
277 270
         'password_mismatch': _("The two password fields didn't match."),
278 271
     }
279  
-    new_password1 = forms.CharField(
280  
-        label=_("New password"),
281  
-        widget=forms.PasswordInput,
282  
-        max_length=MAXIMUM_PASSWORD_LENGTH,
283  
-    )
284  
-    new_password2 = forms.CharField(
285  
-        label=_("New password confirmation"),
286  
-        widget=forms.PasswordInput,
287  
-        max_length=MAXIMUM_PASSWORD_LENGTH,
288  
-    )
  272
+    new_password1 = forms.CharField(label=_("New password"),
  273
+                                    widget=forms.PasswordInput)
  274
+    new_password2 = forms.CharField(label=_("New password confirmation"),
  275
+                                    widget=forms.PasswordInput)
289 276
 
290 277
     def __init__(self, user, *args, **kwargs):
291 278
         self.user = user
@@ -316,11 +303,8 @@ class PasswordChangeForm(SetPasswordForm):
316 303
         'password_incorrect': _("Your old password was entered incorrectly. "
317 304
                                 "Please enter it again."),
318 305
     })
319  
-    old_password = forms.CharField(
320  
-        label=_("Old password"),
321  
-        widget=forms.PasswordInput,
322  
-        max_length=MAXIMUM_PASSWORD_LENGTH,
323  
-    )
  306
+    old_password = forms.CharField(label=_("Old password"),
  307
+                                   widget=forms.PasswordInput)
324 308
 
325 309
     def clean_old_password(self):
326 310
         """
@@ -345,16 +329,10 @@ class AdminPasswordChangeForm(forms.Form):
345 329
     error_messages = {
346 330
         'password_mismatch': _("The two password fields didn't match."),
347 331
     }
348  
-    password1 = forms.CharField(
349  
-        label=_("Password"),
350  
-        widget=forms.PasswordInput,
351  
-        max_length=MAXIMUM_PASSWORD_LENGTH,
352  
-    )
353  
-    password2 = forms.CharField(
354  
-        label=_("Password (again)"),
355  
-        widget=forms.PasswordInput,
356  
-        max_length=MAXIMUM_PASSWORD_LENGTH,
357  
-    )
  332
+    password1 = forms.CharField(label=_("Password"),
  333
+                                widget=forms.PasswordInput)
  334
+    password2 = forms.CharField(label=_("Password (again)"),
  335
+                                widget=forms.PasswordInput)
358 336
 
359 337
     def __init__(self, user, *args, **kwargs):
360 338
         self.user = user
29  django/contrib/auth/hashers.py
... ...
@@ -1,7 +1,6 @@
1 1
 from __future__ import unicode_literals
2 2
 
3 3
 import base64
4  
-import functools
5 4
 import hashlib
6 5
 
7 6
 from django.dispatch import receiver
@@ -17,7 +16,6 @@
17 16
 
18 17
 
19 18
 UNUSABLE_PASSWORD = '!'  # This will never be a valid encoded hash
20  
-MAXIMUM_PASSWORD_LENGTH = 4096  # The maximum length a password can be to prevent DoS
21 19
 HASHERS = None  # lazily loaded from PASSWORD_HASHERS
22 20
 PREFERRED_HASHER = None  # defaults to first item in PASSWORD_HASHERS
23 21
 
@@ -29,18 +27,6 @@ def reset_hashers(**kwargs):
29 27
         PREFERRED_HASHER = None
30 28
 
31 29
 
32  
-def password_max_length(max_length):
33  
-    def inner(fn):
34  
-        @functools.wraps(fn)
35  
-        def wrapper(self, password, *args, **kwargs):
36  
-            if len(password) > max_length:
37  
-                raise ValueError("Invalid password; Must be less than or equal"
38  
-                                 " to %d bytes" % max_length)
39  
-            return fn(self, password, *args, **kwargs)
40  
-        return wrapper
41  
-    return inner
42  
-
43  
-
44 30
 def is_password_usable(encoded):
45 31
     if encoded is None or encoded == UNUSABLE_PASSWORD:
46 32
         return False
@@ -239,7 +225,6 @@ class PBKDF2PasswordHasher(BasePasswordHasher):
239 225
     iterations = 10000
240 226
     digest = hashlib.sha256
241 227
 
242  
-    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
243 228
     def encode(self, password, salt, iterations=None):
244 229
         assert password
245 230
         assert salt and '$' not in salt
@@ -249,7 +234,6 @@ def encode(self, password, salt, iterations=None):
249 234
         hash = base64.b64encode(hash).decode('ascii').strip()
250 235
         return "%s$%d$%s$%s" % (self.algorithm, iterations, salt, hash)
251 236
 
252  
-    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
253 237
     def verify(self, password, encoded):
254 238
         algorithm, iterations, salt, hash = encoded.split('$', 3)
255 239
         assert algorithm == self.algorithm
@@ -295,7 +279,6 @@ def salt(self):
295 279
         bcrypt = self._load_library()
296 280
         return bcrypt.gensalt(self.rounds)
297 281
 
298  
-    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
299 282
     def encode(self, password, salt):
300 283
         bcrypt = self._load_library()
301 284
         # Need to reevaluate the force_bytes call once bcrypt is supported on
@@ -303,7 +286,6 @@ def encode(self, password, salt):
303 286
         data = bcrypt.hashpw(force_bytes(password), salt)
304 287
         return "%s$%s" % (self.algorithm, data)
305 288
 
306  
-    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
307 289
     def verify(self, password, encoded):
308 290
         algorithm, data = encoded.split('$', 1)
309 291
         assert algorithm == self.algorithm
@@ -328,14 +310,12 @@ class SHA1PasswordHasher(BasePasswordHasher):
328 310
     """
329 311
     algorithm = "sha1"
330 312
 
331  
-    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
332 313
     def encode(self, password, salt):
333 314
         assert password
334 315
         assert salt and '$' not in salt
335 316
         hash = hashlib.sha1(force_bytes(salt + password)).hexdigest()
336 317
         return "%s$%s$%s" % (self.algorithm, salt, hash)
337 318
 
338  
-    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
339 319
     def verify(self, password, encoded):
340 320
         algorithm, salt, hash = encoded.split('$', 2)
341 321
         assert algorithm == self.algorithm
@@ -358,14 +338,12 @@ class MD5PasswordHasher(BasePasswordHasher):
358 338
     """
359 339
     algorithm = "md5"
360 340
 
361  
-    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
362 341
     def encode(self, password, salt):
363 342
         assert password
364 343
         assert salt and '$' not in salt
365 344
         hash = hashlib.md5(force_bytes(salt + password)).hexdigest()
366 345
         return "%s$%s$%s" % (self.algorithm, salt, hash)
367 346
 
368  
-    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
369 347
     def verify(self, password, encoded):
370 348
         algorithm, salt, hash = encoded.split('$', 2)
371 349
         assert algorithm == self.algorithm
@@ -396,13 +374,11 @@ class UnsaltedSHA1PasswordHasher(BasePasswordHasher):
396 374
     def salt(self):
397 375
         return ''
398 376
 
399  
-    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
400 377
     def encode(self, password, salt):
401 378
         assert salt == ''
402 379
         hash = hashlib.sha1(force_bytes(password)).hexdigest()
403 380
         return 'sha1$$%s' % hash
404 381
 
405  
-    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
406 382
     def verify(self, password, encoded):
407 383
         encoded_2 = self.encode(password, '')
408 384
         return constant_time_compare(encoded, encoded_2)
@@ -432,12 +408,10 @@ class UnsaltedMD5PasswordHasher(BasePasswordHasher):
432 408
     def salt(self):
433 409
         return ''
434 410
 
435  
-    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
436 411
     def encode(self, password, salt):
437 412
         assert salt == ''
438 413
         return hashlib.md5(force_bytes(password)).hexdigest()
439 414
 
440  
-    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
441 415
     def verify(self, password, encoded):
442 416
         if len(encoded) == 37 and encoded.startswith('md5$$'):
443 417
             encoded = encoded[5:]
@@ -463,7 +437,6 @@ class CryptPasswordHasher(BasePasswordHasher):
463 437
     def salt(self):
464 438
         return get_random_string(2)
465 439
 
466  
-    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
467 440
     def encode(self, password, salt):
468 441
         crypt = self._load_library()
469 442
         assert len(salt) == 2
@@ -471,7 +444,6 @@ def encode(self, password, salt):
471 444
         # we don't need to store the salt, but Django used to do this
472 445
         return "%s$%s$%s" % (self.algorithm, '', data)
473 446
 
474  
-    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
475 447
     def verify(self, password, encoded):
476 448
         crypt = self._load_library()
477 449
         algorithm, salt, data = encoded.split('$', 2)
@@ -486,3 +458,4 @@ def safe_summary(self, encoded):
486 458
             (_('salt'), salt),
487 459
             (_('hash'), mask_hash(data, show=3)),
488 460
         ])
  461
+
72  django/contrib/auth/tests/hashers.py
@@ -4,8 +4,7 @@
4 4
 from django.conf.global_settings import PASSWORD_HASHERS as default_hashers
5 5
 from django.contrib.auth.hashers import (is_password_usable,
6 6
     check_password, make_password, PBKDF2PasswordHasher, load_hashers,
7  
-    PBKDF2SHA1PasswordHasher, get_hasher, identify_hasher, UNUSABLE_PASSWORD,
8  
-    MAXIMUM_PASSWORD_LENGTH, password_max_length)
  7
+    PBKDF2SHA1PasswordHasher, get_hasher, identify_hasher, UNUSABLE_PASSWORD)
9 8
 from django.utils import unittest
10 9
 from django.utils.unittest import skipUnless
11 10
 
@@ -32,12 +31,6 @@ def test_simple(self):
32 31
         self.assertTrue(is_password_usable(encoded))
33 32
         self.assertTrue(check_password('lètmein', encoded))
34 33
         self.assertFalse(check_password('lètmeinz', encoded))
35  
-        # Long password
36  
-        self.assertRaises(
37  
-            ValueError,
38  
-            make_password,
39  
-            b"1" * (MAXIMUM_PASSWORD_LENGTH + 1),
40  
-        )
41 34
 
42 35
     def test_pkbdf2(self):
43 36
         encoded = make_password('lètmein', 'seasalt', 'pbkdf2_sha256')
@@ -47,14 +40,6 @@ def test_pkbdf2(self):
47 40
         self.assertTrue(check_password('lètmein', encoded))
48 41
         self.assertFalse(check_password('lètmeinz', encoded))
49 42
         self.assertEqual(identify_hasher(encoded).algorithm, "pbkdf2_sha256")
50  
-        # Long password
51  
-        self.assertRaises(
52  
-            ValueError,
53  
-            make_password,
54  
-            b"1" * (MAXIMUM_PASSWORD_LENGTH + 1),
55  
-            "seasalt",
56  
-            "pbkdf2_sha256",
57  
-        )
58 43
 
59 44
     def test_sha1(self):
60 45
         encoded = make_password('lètmein', 'seasalt', 'sha1')
@@ -64,14 +49,6 @@ def test_sha1(self):
64 49
         self.assertTrue(check_password('lètmein', encoded))
65 50
         self.assertFalse(check_password('lètmeinz', encoded))
66 51
         self.assertEqual(identify_hasher(encoded).algorithm, "sha1")
67  
-        # Long password
68  
-        self.assertRaises(
69  
-            ValueError,
70  
-            make_password,
71  
-            b"1" * (MAXIMUM_PASSWORD_LENGTH + 1),
72  
-            "seasalt",
73  
-            "sha1",
74  
-        )
75 52
 
76 53
     def test_md5(self):
77 54
         encoded = make_password('lètmein', 'seasalt', 'md5')
@@ -81,14 +58,6 @@ def test_md5(self):
81 58
         self.assertTrue(check_password('lètmein', encoded))
82 59
         self.assertFalse(check_password('lètmeinz', encoded))
83 60
         self.assertEqual(identify_hasher(encoded).algorithm, "md5")
84  
-        # Long password
85  
-        self.assertRaises(
86  
-            ValueError,
87  
-            make_password,
88  
-            b"1" * (MAXIMUM_PASSWORD_LENGTH + 1),
89  
-            "seasalt",
90  
-            "md5",
91  
-        )
92 61
 
93 62
     def test_unsalted_md5(self):
94 63
         encoded = make_password('lètmein', '', 'unsalted_md5')
@@ -102,14 +71,6 @@ def test_unsalted_md5(self):
102 71
         self.assertTrue(is_password_usable(alt_encoded))
103 72
         self.assertTrue(check_password('lètmein', alt_encoded))
104 73
         self.assertFalse(check_password('lètmeinz', alt_encoded))
105  
-        # Long password
106  
-        self.assertRaises(
107  
-            ValueError,
108  
-            make_password,
109  
-            b"1" * (MAXIMUM_PASSWORD_LENGTH + 1),
110  
-            "",
111  
-            "unsalted_md5",
112  
-        )
113 74
 
114 75
     def test_unsalted_sha1(self):
115 76
         encoded = make_password('lètmein', '', 'unsalted_sha1')
@@ -121,14 +82,6 @@ def test_unsalted_sha1(self):
121 82
         # Raw SHA1 isn't acceptable
122 83
         alt_encoded = encoded[6:]
123 84
         self.assertFalse(check_password('lètmein', alt_encoded))
124  
-        # Long password
125  
-        self.assertRaises(
126  
-            ValueError,
127  
-            make_password,
128  
-            b"1" * (MAXIMUM_PASSWORD_LENGTH + 1),
129  
-            "",
130  
-            "unslated_sha1",
131  
-        )
132 85
 
133 86
     @skipUnless(crypt, "no crypt module to generate password.")
134 87
     def test_crypt(self):
@@ -138,14 +91,6 @@ def test_crypt(self):
138 91
         self.assertTrue(check_password('lètmei', encoded))
139 92
         self.assertFalse(check_password('lètmeiz', encoded))
140 93
         self.assertEqual(identify_hasher(encoded).algorithm, "crypt")
141  
-        # Long password
142  
-        self.assertRaises(
143  
-            ValueError,
144  
-            make_password,
145  
-            b"1" * (MAXIMUM_PASSWORD_LENGTH + 1),
146  
-            "seasalt",
147  
-            "crypt",
148  
-        )
149 94
 
150 95
     @skipUnless(bcrypt, "py-bcrypt not installed")
151 96
     def test_bcrypt(self):
@@ -155,13 +100,6 @@ def test_bcrypt(self):
155 100
         self.assertTrue(check_password('lètmein', encoded))
156 101
         self.assertFalse(check_password('lètmeinz', encoded))
157 102
         self.assertEqual(identify_hasher(encoded).algorithm, "bcrypt")
158  
-        # Long password
159  
-        self.assertRaises(
160  
-            ValueError,
161  
-            make_password,
162  
-            b"1" * (MAXIMUM_PASSWORD_LENGTH + 1),
163  
-            hasher="bcrypt",
164  
-        )
165 103
 
166 104
     def test_unusable(self):
167 105
         encoded = make_password(None)
@@ -183,14 +121,6 @@ def test_bad_encoded(self):
183 121
         self.assertFalse(is_password_usable('lètmein_badencoded'))
184 122
         self.assertFalse(is_password_usable(''))
185 123
 
186  
-    def test_max_password_length_decorator(self):
187  
-        @password_max_length(10)
188  
-        def encode(s, password, salt):
189  
-            return True
190  
-
191  
-        self.assertTrue(encode(None, b"1234", b"1234"))
192  
-        self.assertRaises(ValueError, encode, None, b"1234567890A", b"1234")
193  
-
194 124
     def test_low_level_pkbdf2(self):
195 125
         hasher = PBKDF2PasswordHasher()
196 126
         encoded = hasher.encode('lètmein', 'seasalt')

0 notes on commit 1cc572a

Please sign in to comment.
Something went wrong with that request. Please try again.