decode unicode passwords before salting+hashing (bug 858262)

mozilla · Apr 4, 2013 · 154eb0d · 154eb0d
1 parent e9d71d0
commit 154eb0d
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 1 deletion.
diff --git a/apps/users/models.py b/apps/users/models.py
@@ -326,7 +326,21 @@ def check_password(self, raw_password):
             return valid
 
         algo, salt, hsh = self.password.split('$')
-        return hsh == get_hexdigest(algo, salt, raw_password)
+        #Complication due to getpersonas account migration; we don't
+        #know if passwords were utf-8 or latin-1 when hashed. If you
+        #can prove that they are one or the other, you can delete one
+        #of these branches.
+        if '+base64' in algo and isinstance(raw_password, unicode):
+            if hsh == get_hexdigest(algo, salt, raw_password.encode('utf-8')):
+                return True
+            else:
+                try:
+                    return hsh == get_hexdigest(algo, salt,
+                                                raw_password.encode('latin1'))
+                except UnicodeEncodeError:
+                    return False
+        else:
+            return hsh == get_hexdigest(algo, salt, raw_password)
 
     def set_password(self, raw_password, algorithm='sha512'):
         self.password = create_password(algorithm, raw_password)

diff --git a/apps/users/tests/test_models.py b/apps/users/tests/test_models.py
@@ -271,6 +271,26 @@ def test_persona_sha512_base64(self):
                         (encodestring(self.bytes_), hsh))
         assert u.check_password('password') is True
 
+    def test_persona_sha512_base64_maybe_utf8(self):
+        hsh = hashlib.sha512(self.bytes_ + self.utf.encode('utf8')).hexdigest()
+        u = UserProfile(password='sha512+base64$%s$%s' %
+                        (encodestring(self.bytes_), hsh))
+        assert u.check_password(self.utf) is True
+
+    def test_persona_sha512_base64_maybe_latin1(self):
+        passwd = u'fo\xf3'
+        hsh = hashlib.sha512(self.bytes_ + passwd.encode('latin1')).hexdigest()
+        u = UserProfile(password='sha512+base64$%s$%s' %
+                        (encodestring(self.bytes_), hsh))
+        assert u.check_password(passwd) is True
+
+    def test_persona_sha512_base64_maybe_not_latin1(self):
+        passwd = u'fo\xf3'
+        hsh = hashlib.sha512(self.bytes_ + passwd.encode('latin1')).hexdigest()
+        u = UserProfile(password='sha512+base64$%s$%s' %
+                        (encodestring(self.bytes_), hsh))
+        assert u.check_password(self.utf) is False
+
     def test_persona_sha512_md5_base64(self):
         md5 = hashlib.md5('password').hexdigest()
         hsh = hashlib.sha512(self.bytes_ + md5).hexdigest()