Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

[1.5.x] Ensure that passwords are never long enough for a DoS.

 * Limit the password length to 4096 bytes
  * Password hashers will raise a ValueError
  * django.contrib.auth forms will fail validation
 * Document in release notes that this is a backwards incompatible change

Thanks to Josh Wright for the report, and Donald Stufft for the patch.

This is a security fix; disclosure to follow shortly.

Backport of aae5a96 from master.
  • Loading branch information...
commit 22b74fa09d7ccbc8c52270d648a0da7f3f0fa2bc 1 parent e66fe35
Russell Keith-Magee authored September 15, 2013
48  django/contrib/auth/forms.py
@@ -12,7 +12,9 @@
12 12
 
13 13
 from django.contrib.auth import authenticate, get_user_model
14 14
 from django.contrib.auth.models import User
15  
-from django.contrib.auth.hashers import UNUSABLE_PASSWORD, identify_hasher
  15
+from django.contrib.auth.hashers import (
  16
+    MAXIMUM_PASSWORD_LENGTH, UNUSABLE_PASSWORD, identify_hasher,
  17
+)
16 18
 from django.contrib.auth.tokens import default_token_generator
17 19
 from django.contrib.sites.models import get_current_site
18 20
 
@@ -75,9 +77,10 @@ class UserCreationForm(forms.ModelForm):
75 77
             'invalid': _("This value may contain only letters, numbers and "
76 78
                          "@/./+/-/_ characters.")})
77 79
     password1 = forms.CharField(label=_("Password"),
78  
-        widget=forms.PasswordInput)
  80
+        widget=forms.PasswordInput, max_length=MAXIMUM_PASSWORD_LENGTH)
79 81
     password2 = forms.CharField(label=_("Password confirmation"),
80 82
         widget=forms.PasswordInput,
  83
+        max_length=MAXIMUM_PASSWORD_LENGTH,
81 84
         help_text=_("Enter the same password as above, for verification."))
82 85
 
83 86
     class Meta:
@@ -145,7 +148,11 @@ class AuthenticationForm(forms.Form):
145 148
     username/password logins.
146 149
     """
147 150
     username = forms.CharField(max_length=254)
148  
-    password = forms.CharField(label=_("Password"), widget=forms.PasswordInput)
  151
+    password = forms.CharField(
  152
+        label=_("Password"),
  153
+        widget=forms.PasswordInput,
  154
+        max_length=MAXIMUM_PASSWORD_LENGTH,
  155
+    )
149 156
 
150 157
     error_messages = {
151 158
         'invalid_login': _("Please enter a correct %(username)s and password. "
@@ -269,10 +276,16 @@ class SetPasswordForm(forms.Form):
269 276
     error_messages = {
270 277
         'password_mismatch': _("The two password fields didn't match."),
271 278
     }
272  
-    new_password1 = forms.CharField(label=_("New password"),
273  
-                                    widget=forms.PasswordInput)
274  
-    new_password2 = forms.CharField(label=_("New password confirmation"),
275  
-                                    widget=forms.PasswordInput)
  279
+    new_password1 = forms.CharField(
  280
+        label=_("New password"),
  281
+        widget=forms.PasswordInput,
  282
+        max_length=MAXIMUM_PASSWORD_LENGTH,
  283
+    )
  284
+    new_password2 = forms.CharField(
  285
+        label=_("New password confirmation"),
  286
+        widget=forms.PasswordInput,
  287
+        max_length=MAXIMUM_PASSWORD_LENGTH,
  288
+    )
276 289
 
277 290
     def __init__(self, user, *args, **kwargs):
278 291
         self.user = user
@@ -303,8 +316,11 @@ class PasswordChangeForm(SetPasswordForm):
303 316
         'password_incorrect': _("Your old password was entered incorrectly. "
304 317
                                 "Please enter it again."),
305 318
     })
306  
-    old_password = forms.CharField(label=_("Old password"),
307  
-                                   widget=forms.PasswordInput)
  319
+    old_password = forms.CharField(
  320
+        label=_("Old password"),
  321
+        widget=forms.PasswordInput,
  322
+        max_length=MAXIMUM_PASSWORD_LENGTH,
  323
+    )
308 324
 
309 325
     def clean_old_password(self):
310 326
         """
@@ -329,10 +345,16 @@ class AdminPasswordChangeForm(forms.Form):
329 345
     error_messages = {
330 346
         'password_mismatch': _("The two password fields didn't match."),
331 347
     }
332  
-    password1 = forms.CharField(label=_("Password"),
333  
-                                widget=forms.PasswordInput)
334  
-    password2 = forms.CharField(label=_("Password (again)"),
335  
-                                widget=forms.PasswordInput)
  348
+    password1 = forms.CharField(
  349
+        label=_("Password"),
  350
+        widget=forms.PasswordInput,
  351
+        max_length=MAXIMUM_PASSWORD_LENGTH,
  352
+    )
  353
+    password2 = forms.CharField(
  354
+        label=_("Password (again)"),
  355
+        widget=forms.PasswordInput,
  356
+        max_length=MAXIMUM_PASSWORD_LENGTH,
  357
+    )
336 358
 
337 359
     def __init__(self, user, *args, **kwargs):
338 360
         self.user = user
29  django/contrib/auth/hashers.py
... ...
@@ -1,6 +1,7 @@
1 1
 from __future__ import unicode_literals
2 2
 
3 3
 import base64
  4
+import functools
4 5
 import hashlib
5 6
 
6 7
 from django.dispatch import receiver
@@ -16,6 +17,7 @@
16 17
 
17 18
 
18 19
 UNUSABLE_PASSWORD = '!'  # This will never be a valid encoded hash
  20
+MAXIMUM_PASSWORD_LENGTH = 4096  # The maximum length a password can be to prevent DoS
19 21
 HASHERS = None  # lazily loaded from PASSWORD_HASHERS
20 22
 PREFERRED_HASHER = None  # defaults to first item in PASSWORD_HASHERS
21 23
 
@@ -27,6 +29,18 @@ def reset_hashers(**kwargs):
27 29
         PREFERRED_HASHER = None
28 30
 
29 31
 
  32
+def password_max_length(max_length):
  33
+    def inner(fn):
  34
+        @functools.wraps(fn)
  35
+        def wrapper(self, password, *args, **kwargs):
  36
+            if len(password) > max_length:
  37
+                raise ValueError("Invalid password; Must be less than or equal"
  38
+                                 " to %d bytes" % max_length)
  39
+            return fn(self, password, *args, **kwargs)
  40
+        return wrapper
  41
+    return inner
  42
+
  43
+
30 44
 def is_password_usable(encoded):
31 45
     if encoded is None or encoded == UNUSABLE_PASSWORD:
32 46
         return False
@@ -225,6 +239,7 @@ class PBKDF2PasswordHasher(BasePasswordHasher):
225 239
     iterations = 10000
226 240
     digest = hashlib.sha256
227 241
 
  242
+    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
228 243
     def encode(self, password, salt, iterations=None):
229 244
         assert password
230 245
         assert salt and '$' not in salt
@@ -234,6 +249,7 @@ def encode(self, password, salt, iterations=None):
234 249
         hash = base64.b64encode(hash).decode('ascii').strip()
235 250
         return "%s$%d$%s$%s" % (self.algorithm, iterations, salt, hash)
236 251
 
  252
+    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
237 253
     def verify(self, password, encoded):
238 254
         algorithm, iterations, salt, hash = encoded.split('$', 3)
239 255
         assert algorithm == self.algorithm
@@ -279,6 +295,7 @@ def salt(self):
279 295
         bcrypt = self._load_library()
280 296
         return bcrypt.gensalt(self.rounds)
281 297
 
  298
+    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
282 299
     def encode(self, password, salt):
283 300
         bcrypt = self._load_library()
284 301
         # Need to reevaluate the force_bytes call once bcrypt is supported on
@@ -286,6 +303,7 @@ def encode(self, password, salt):
286 303
         data = bcrypt.hashpw(force_bytes(password), salt)
287 304
         return "%s$%s" % (self.algorithm, data)
288 305
 
  306
+    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
289 307
     def verify(self, password, encoded):
290 308
         algorithm, data = encoded.split('$', 1)
291 309
         assert algorithm == self.algorithm
@@ -310,12 +328,14 @@ class SHA1PasswordHasher(BasePasswordHasher):
310 328
     """
311 329
     algorithm = "sha1"
312 330
 
  331
+    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
313 332
     def encode(self, password, salt):
314 333
         assert password
315 334
         assert salt and '$' not in salt
316 335
         hash = hashlib.sha1(force_bytes(salt + password)).hexdigest()
317 336
         return "%s$%s$%s" % (self.algorithm, salt, hash)
318 337
 
  338
+    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
319 339
     def verify(self, password, encoded):
320 340
         algorithm, salt, hash = encoded.split('$', 2)
321 341
         assert algorithm == self.algorithm
@@ -338,12 +358,14 @@ class MD5PasswordHasher(BasePasswordHasher):
338 358
     """
339 359
     algorithm = "md5"
340 360
 
  361
+    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
341 362
     def encode(self, password, salt):
342 363
         assert password
343 364
         assert salt and '$' not in salt
344 365
         hash = hashlib.md5(force_bytes(salt + password)).hexdigest()
345 366
         return "%s$%s$%s" % (self.algorithm, salt, hash)
346 367
 
  368
+    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
347 369
     def verify(self, password, encoded):
348 370
         algorithm, salt, hash = encoded.split('$', 2)
349 371
         assert algorithm == self.algorithm
@@ -374,11 +396,13 @@ class UnsaltedSHA1PasswordHasher(BasePasswordHasher):
374 396
     def salt(self):
375 397
         return ''
376 398
 
  399
+    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
377 400
     def encode(self, password, salt):
378 401
         assert salt == ''
379 402
         hash = hashlib.sha1(force_bytes(password)).hexdigest()
380 403
         return 'sha1$$%s' % hash
381 404
 
  405
+    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
382 406
     def verify(self, password, encoded):
383 407
         encoded_2 = self.encode(password, '')
384 408
         return constant_time_compare(encoded, encoded_2)
@@ -408,10 +432,12 @@ class UnsaltedMD5PasswordHasher(BasePasswordHasher):
408 432
     def salt(self):
409 433
         return ''
410 434
 
  435
+    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
411 436
     def encode(self, password, salt):
412 437
         assert salt == ''
413 438
         return hashlib.md5(force_bytes(password)).hexdigest()
414 439
 
  440
+    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
415 441
     def verify(self, password, encoded):
416 442
         if len(encoded) == 37 and encoded.startswith('md5$$'):
417 443
             encoded = encoded[5:]
@@ -437,6 +463,7 @@ class CryptPasswordHasher(BasePasswordHasher):
437 463
     def salt(self):
438 464
         return get_random_string(2)
439 465
 
  466
+    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
440 467
     def encode(self, password, salt):
441 468
         crypt = self._load_library()
442 469
         assert len(salt) == 2
@@ -444,6 +471,7 @@ def encode(self, password, salt):
444 471
         # we don't need to store the salt, but Django used to do this
445 472
         return "%s$%s$%s" % (self.algorithm, '', data)
446 473
 
  474
+    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
447 475
     def verify(self, password, encoded):
448 476
         crypt = self._load_library()
449 477
         algorithm, salt, data = encoded.split('$', 2)
@@ -458,4 +486,3 @@ def safe_summary(self, encoded):
458 486
             (_('salt'), salt),
459 487
             (_('hash'), mask_hash(data, show=3)),
460 488
         ])
461  
-
72  django/contrib/auth/tests/hashers.py
@@ -4,7 +4,8 @@
4 4
 from django.conf.global_settings import PASSWORD_HASHERS as default_hashers
5 5
 from django.contrib.auth.hashers import (is_password_usable,
6 6
     check_password, make_password, PBKDF2PasswordHasher, load_hashers,
7  
-    PBKDF2SHA1PasswordHasher, get_hasher, identify_hasher, UNUSABLE_PASSWORD)
  7
+    PBKDF2SHA1PasswordHasher, get_hasher, identify_hasher, UNUSABLE_PASSWORD,
  8
+    MAXIMUM_PASSWORD_LENGTH, password_max_length)
8 9
 from django.utils import unittest
9 10
 from django.utils.unittest import skipUnless
10 11
 
@@ -31,6 +32,12 @@ def test_simple(self):
31 32
         self.assertTrue(is_password_usable(encoded))
32 33
         self.assertTrue(check_password('lètmein', encoded))
33 34
         self.assertFalse(check_password('lètmeinz', encoded))
  35
+        # Long password
  36
+        self.assertRaises(
  37
+            ValueError,
  38
+            make_password,
  39
+            b"1" * (MAXIMUM_PASSWORD_LENGTH + 1),
  40
+        )
34 41
 
35 42
     def test_pkbdf2(self):
36 43
         encoded = make_password('lètmein', 'seasalt', 'pbkdf2_sha256')
@@ -40,6 +47,14 @@ def test_pkbdf2(self):
40 47
         self.assertTrue(check_password('lètmein', encoded))
41 48
         self.assertFalse(check_password('lètmeinz', encoded))
42 49
         self.assertEqual(identify_hasher(encoded).algorithm, "pbkdf2_sha256")
  50
+        # Long password
  51
+        self.assertRaises(
  52
+            ValueError,
  53
+            make_password,
  54
+            b"1" * (MAXIMUM_PASSWORD_LENGTH + 1),
  55
+            "seasalt",
  56
+            "pbkdf2_sha256",
  57
+        )
43 58
 
44 59
     def test_sha1(self):
45 60
         encoded = make_password('lètmein', 'seasalt', 'sha1')
@@ -49,6 +64,14 @@ def test_sha1(self):
49 64
         self.assertTrue(check_password('lètmein', encoded))
50 65
         self.assertFalse(check_password('lètmeinz', encoded))
51 66
         self.assertEqual(identify_hasher(encoded).algorithm, "sha1")
  67
+        # Long password
  68
+        self.assertRaises(
  69
+            ValueError,
  70
+            make_password,
  71
+            b"1" * (MAXIMUM_PASSWORD_LENGTH + 1),
  72
+            "seasalt",
  73
+            "sha1",
  74
+        )
52 75
 
53 76
     def test_md5(self):
54 77
         encoded = make_password('lètmein', 'seasalt', 'md5')
@@ -58,6 +81,14 @@ def test_md5(self):
58 81
         self.assertTrue(check_password('lètmein', encoded))
59 82
         self.assertFalse(check_password('lètmeinz', encoded))
60 83
         self.assertEqual(identify_hasher(encoded).algorithm, "md5")
  84
+        # Long password
  85
+        self.assertRaises(
  86
+            ValueError,
  87
+            make_password,
  88
+            b"1" * (MAXIMUM_PASSWORD_LENGTH + 1),
  89
+            "seasalt",
  90
+            "md5",
  91
+        )
61 92
 
62 93
     def test_unsalted_md5(self):
63 94
         encoded = make_password('lètmein', '', 'unsalted_md5')
@@ -71,6 +102,14 @@ def test_unsalted_md5(self):
71 102
         self.assertTrue(is_password_usable(alt_encoded))
72 103
         self.assertTrue(check_password('lètmein', alt_encoded))
73 104
         self.assertFalse(check_password('lètmeinz', alt_encoded))
  105
+        # Long password
  106
+        self.assertRaises(
  107
+            ValueError,
  108
+            make_password,
  109
+            b"1" * (MAXIMUM_PASSWORD_LENGTH + 1),
  110
+            "",
  111
+            "unsalted_md5",
  112
+        )
74 113
 
75 114
     def test_unsalted_sha1(self):
76 115
         encoded = make_password('lètmein', '', 'unsalted_sha1')
@@ -82,6 +121,14 @@ def test_unsalted_sha1(self):
82 121
         # Raw SHA1 isn't acceptable
83 122
         alt_encoded = encoded[6:]
84 123
         self.assertFalse(check_password('lètmein', alt_encoded))
  124
+        # Long password
  125
+        self.assertRaises(
  126
+            ValueError,
  127
+            make_password,
  128
+            b"1" * (MAXIMUM_PASSWORD_LENGTH + 1),
  129
+            "",
  130
+            "unslated_sha1",
  131
+        )
85 132
 
86 133
     @skipUnless(crypt, "no crypt module to generate password.")
87 134
     def test_crypt(self):
@@ -91,6 +138,14 @@ def test_crypt(self):
91 138
         self.assertTrue(check_password('lètmei', encoded))
92 139
         self.assertFalse(check_password('lètmeiz', encoded))
93 140
         self.assertEqual(identify_hasher(encoded).algorithm, "crypt")
  141
+        # Long password
  142
+        self.assertRaises(
  143
+            ValueError,
  144
+            make_password,
  145
+            b"1" * (MAXIMUM_PASSWORD_LENGTH + 1),
  146
+            "seasalt",
  147
+            "crypt",
  148
+        )
94 149
 
95 150
     @skipUnless(bcrypt, "py-bcrypt not installed")
96 151
     def test_bcrypt(self):
@@ -100,6 +155,13 @@ def test_bcrypt(self):
100 155
         self.assertTrue(check_password('lètmein', encoded))
101 156
         self.assertFalse(check_password('lètmeinz', encoded))
102 157
         self.assertEqual(identify_hasher(encoded).algorithm, "bcrypt")
  158
+        # Long password
  159
+        self.assertRaises(
  160
+            ValueError,
  161
+            make_password,
  162
+            b"1" * (MAXIMUM_PASSWORD_LENGTH + 1),
  163
+            hasher="bcrypt",
  164
+        )
103 165
 
104 166
     def test_unusable(self):
105 167
         encoded = make_password(None)
@@ -121,6 +183,14 @@ def test_bad_encoded(self):
121 183
         self.assertFalse(is_password_usable('lètmein_badencoded'))
122 184
         self.assertFalse(is_password_usable(''))
123 185
 
  186
+    def test_max_password_length_decorator(self):
  187
+        @password_max_length(10)
  188
+        def encode(s, password, salt):
  189
+            return True
  190
+
  191
+        self.assertTrue(encode(None, b"1234", b"1234"))
  192
+        self.assertRaises(ValueError, encode, None, b"1234567890A", b"1234")
  193
+
124 194
     def test_low_level_pkbdf2(self):
125 195
         hasher = PBKDF2PasswordHasher()
126 196
         encoded = hasher.encode('lètmein', 'seasalt')

0 notes on commit 22b74fa

Please sign in to comment.
Something went wrong with that request. Please try again.