[Django] #32130: 3.0 -> 3.1 password token incompatibility.
Django
------------------------------------------+------------------------
Reporter: Gordon Wrigley | Owner: nobody
Type: Uncategorized | Status: new
Component: Uncategorized | Version: 3.1
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
------------------------------------------+------------------------
As noted here https://docs.djangoproject.com/en/3.1/releases/3.1/#django-
contrib-auth the hashing for password reset tokens has changed between 3.0
and 3.1 and work has been done to ensure existing tokens will still work
(at least until 4.0).
However the encoding of the token creation time has also changed.
Specifically from days since 1/1/01 to seconds since 1/1/01. And it
appears no work has been done to support tokens with the older values. So
a token generated on Oct 1, 2020 will come through as 7213 days which will
then get interpreted as 7213 seconds, aka 2am Jan 1, 2001.
So while exiting tokens in the wild will pass crypto validation they will
all show as expired if your PASSWORD_RESET_TIMEOUT is less than ~20 years.
The code base I'm working on uses these tokens (perhaps unwisely) in some
email links that are expected to have a 3 month lifetime and an upgrade
from 3.0 to 3.1 looks likely to render all the tokens in the wild expired
which is suboptimal.
--
Ticket URL: <https://code.djangoproject.com/ticket/32130>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: Gordon Wrigley | Owner: nobody
Type: Uncategorized | Status: new
Component: Uncategorized | Version: 3.1
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Adam (Chainz) Johnson):
This seems like an oversight. Would it make sense to reinterpret tokens
with a timeout less than some small-in-seconds but large-in-days cutoff,
such as 3600 * 365, as days instead of seconds?
--
Ticket URL: <https://code.djangoproject.com/ticket/32130#comment:1>
Django
Reporter: Gordon Wrigley | Owner: nobody
Type: Uncategorized | Status: new
Component: Uncategorized | Version: 3.1
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Adam (Chainz) Johnson):
* cc: Adam (Chainz) Johnson (added)
--
Ticket URL: <https://code.djangoproject.com/ticket/32130#comment:2>
Django
Reporter: Gordon Wrigley | Owner: nobody
Type: Uncategorized | Status: new
Component: Uncategorized | Version: 3.1
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Gordon Wrigley):
We've been discussing using patchy to do something to that effect.
With free code access you can easily tell because the prefix is 3
characters in the old scheme and 6 in the other so you could switch off
that.
If you were to switch off value anything in the 10k (~27*365) -
600m(~19*365*60*60) range should be a safe cutoff.
--
Ticket URL: <https://code.djangoproject.com/ticket/32130#comment:3>
Django
Reporter: Gordon Wrigley | Owner: nobody
Type: Uncategorized | Status: new
Component: Uncategorized | Version: 3.1
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Mariusz Felisiak):
Great catch, we missed this. However, I'm not sure what we can do, any
heuristic will be clunky, IMO. 1 second, 1 day, 300k seconds, or 300k days
are all valid.
--
Ticket URL: <https://code.djangoproject.com/ticket/32130#comment:4>
Django
Reporter: Gordon Wrigley | Owner: nobody
Type: Uncategorized | Status: new
Component: Uncategorized | Version: 3.1
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Adam (Chainz) Johnson):
It’s seconds/days since January 2001, so I don’t think it’s clunky... I
doubt anyone is running an app with the clock set between 2001 and 2002
for example.
--
Ticket URL: <https://code.djangoproject.com/ticket/32130#comment:5>
Django
-------------------------------------+-------------------------------------
Reporter: Gordon Wrigley | Owner: Mariusz
| Felisiak
Type: Bug | Status: assigned
Component: contrib.auth | Version: 3.1
Severity: Release blocker | Resolution:
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Carlton Gibson):
* stage: Accepted => Ready for checkin
--
Ticket URL: <https://code.djangoproject.com/ticket/32130#comment:9>
Django
-------------------------------------+-------------------------------------
Reporter: Gordon Wrigley | Owner: Mariusz
| Felisiak
Component: contrib.auth | Version: 3.1
Severity: Release blocker | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by GitHub <noreply@…>):
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"34180922380cf41cd684f846ecf00f92eb289bcf" 3418092]:
{{{
#!CommitTicketReference repository=""
revision="34180922380cf41cd684f846ecf00f92eb289bcf"
Fixed #32130 -- Fixed pre-Django 3.1 password reset tokens validation.
Thanks Gordon Wrigley for the report and implementation idea.
Regression in 226ebb17290b604ef29e82fb5c1fbac3594ac163.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/32130#comment:10>
Django
-------------------------------------+-------------------------------------
Reporter: Gordon Wrigley | Owner: Mariusz
| Felisiak
Type: Bug | Status: closed
Component: contrib.auth | Version: 3.1
Severity: Release blocker | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Mariusz Felisiak <felisiak.mariusz@…>):
In [changeset:"767e06b5a830070939a6cd69c1ed1581446fb82b" 767e06b5]:
{{{
#!CommitTicketReference repository=""
revision="767e06b5a830070939a6cd69c1ed1581446fb82b"
[3.1.x] Fixed #32130 -- Fixed pre-Django 3.1 password reset tokens
validation.
Thanks Gordon Wrigley for the report and implementation idea.
Regression in 226ebb17290b604ef29e82fb5c1fbac3594ac163.
Backport of 34180922380cf41cd684f846ecf00f92eb289bcf from master
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/32130#comment:11>
Django
-------------------------------------+-------------------------------------
Reporter: Gordon Wrigley | Owner: Mariusz
| Felisiak
Type: Bug | Status: closed
Component: contrib.auth | Version: 3.1
Severity: Release blocker | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Adam (Chainz) Johnson):
Great work on a quick fix Mariusz!
--
Ticket URL: <https://code.djangoproject.com/ticket/32130#comment:12>
Django
-------------------------------------+-------------------------------------
Reporter: Gordon Wrigley | Owner: Mariusz
| Felisiak
Type: Bug | Status: closed
Component: contrib.auth | Version: 3.1
Severity: Release blocker | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Gordon Wrigley):
Yes, thank you for the quick response.
--
Ticket URL: <https://code.djangoproject.com/ticket/32130#comment:13>