[Django] #21398: BCryptSHA256PasswordHasher verify fails on Python 3
Django
----------------------------+--------------------
Reporter: arjan@… | Owner: nobody
Type: Bug | Status: new
Component: Python 3 | Version: 1.6
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Easy pickings: 0 | UI/UX: 0
----------------------------+--------------------
When using the BCryptSHA256PasswordHasher or derivatives, the verification
of passwords fails when on Python 3.
This is due to the following line:
return constant_time_compare(data, bcrypt.hashpw(password, data))
In BCryptSHA256PasswordHasher.verify(), 'data' is forced to the 'bytes'
type, but the output of bcrypt.hashpw() is of type 'str'. The hashpw()
output should just like 'data' be passed through force_bytes() before
comparison, because the comparison is now always returning False on
Python3.
--
Ticket URL: <https://code.djangoproject.com/ticket/21398>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: arjan@… | Owner: nobody
Type: Bug | Status: new
Component: Python 3 | Version: 1.6
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by timo):
* cc: dstufft (added)
* needs_docs: => 0
* needs_better_patch: => 0
* needs_tests: => 0
* stage: Unreviewed => Accepted
Comment:
Are you using py-bcrypt? Django now recommends using bcrypt, however, if
we are no longer compatible with py-bcrypt and haven't put that in our
docs, we have a problem. I'm not sure if that was the intention or not.
This should be in the 1.6 release notes as well.
https://github.com/django/django/commit/c792c83cad54f064b6ba13e285e95a90e2c61f09
--
Ticket URL: <https://code.djangoproject.com/ticket/21398#comment:1>
Django
Reporter: arjan@… | Owner: nobody
Type: Bug | Status: new
Component: Python 3 | Version: 1.6
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Comment (by dstufft):
py-bcrypt does not support Python3.
--
Ticket URL: <https://code.djangoproject.com/ticket/21398#comment:2>
Django
Reporter: arjan@… | Owner: nobody
Type: Bug | Status: new
Component: Python 3 | Version: 1.6
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Comment (by timo):
I can't reproduce (using Django's existing tests in
django/contrib/auth/tests/test_hashers.py `bcrypt.hashpw()` returning
`str` as reported. Arjan, can you provide more details (ideally a failing
test case for Django's test suite)?
--
Ticket URL: <https://code.djangoproject.com/ticket/21398#comment:3>
Django
Reporter: arjan@… | Owner: nobody
Type: Bug | Status: new
Component: Python 3 | Version: 1.6
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Comment (by arjan@…):
I was indeed using py-bcrypt. When I switch to bcrypt everything works
perfectly.
Please put the incompatibility with py-bcrypt in the releasenotes, as I
was using it with Django 1.5 and Python 3 before without any problems.
(py-bcrypt supports Python 3 since version 0.4 according to their website)
I actually did read the releasenotes before upgrading, so an entry in
there would have saved me a lot of headaches.
--
Ticket URL: <https://code.djangoproject.com/ticket/21398#comment:4>
Django
Reporter: arjan@… | Owner: nobody
Type: Bug | Status: new
Component: Python 3 | Version: 1.6
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Comment (by timo):
Donald, what would you like to do here? I can draft a doc patch for the
release notes if necessary.
--
Ticket URL: <https://code.djangoproject.com/ticket/21398#comment:5>
Django
Reporter: arjan@… | Owner: nobody
Type: Bug | Status: new
Component: Python 3 | Version: 1.6
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Comment (by dstufft):
I don't have a problem with forcing the data through force_bytes.
--
Ticket URL: <https://code.djangoproject.com/ticket/21398#comment:6>
Django
---------------------------------+------------------------------------
Reporter: arjan@… | Owner: nobody
Type: Bug | Status: new
Component: Python 3 | Version: 1.6
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Changes (by timo):
* severity: Normal => Release blocker
Comment:
All right, I'll mark this as a release blocker so we backport it to 1.6.
Not sure if we can integrate the verification with Jenkins easily since
presumably bcrypt and py-bcrypt can't be easily installed side by side.
--
Ticket URL: <https://code.djangoproject.com/ticket/21398#comment:7>
Django
---------------------------------+------------------------------------
Type: Bug | Status: new
Component: Python 3 | Version: 1.6
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by timo):
* has_patch: 0 => 1
Comment:
[https://github.com/django/django/pull/1901 Pull request] that simply adds
a `force_bytes()` call as suggested. This does fix the tests on Python 3
with py-bcrypt 0.4.
--
Ticket URL: <https://code.djangoproject.com/ticket/21398#comment:8>
Django
Reporter: arjan@… | Owner: nobody
Type: Bug | Status: new
Component: Python 3 | Version: 1.6
Keywords: | Triage Stage: Ready for
Has patch: 1 | checkin
Needs tests: 0 | Needs documentation: 0
Easy pickings: 0 | Patch needs improvement: 0
| UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by claudep):
* stage: Accepted => Ready for checkin
--
Ticket URL: <https://code.djangoproject.com/ticket/21398#comment:9>
Django
-------------------------------------+-------------------------------------
Type: Bug | Status: closed
Component: Python 3 | Version: 1.6
Keywords: | Triage Stage: Ready for
Has patch: 1 | checkin
Needs tests: 0 | Needs documentation: 0
Easy pickings: 0 | Patch needs improvement: 0
| UI/UX: 0
-------------------------------------+-------------------------------------
* status: new => closed
* resolution: => fixed
Comment:
In [changeset:"d15985d81ff1c3b353a48a87189b7847798214c0"]:
{{{
#!CommitTicketReference repository=""
revision="d15985d81ff1c3b353a48a87189b7847798214c0"
Fixed #21398 -- Fixed BCryptSHA256PasswordHasher with py-bcrypt and Python
3.
Thanks arjan at anymore.nl for the report.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/21398#comment:10>
Django
-------------------------------------+-------------------------------------
Type: Bug | Status: closed
Component: Python 3 | Version: 1.6
Keywords: | Triage Stage: Ready for
Has patch: 1 | checkin
Needs tests: 0 | Needs documentation: 0
Easy pickings: 0 | Patch needs improvement: 0
| UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Tim Graham <timograham@…>):
In [changeset:"4b9e932fd46eaac4774d229c40c2ee75f8fb759b"]:
{{{
#!CommitTicketReference repository=""
revision="4b9e932fd46eaac4774d229c40c2ee75f8fb759b"
[1.6.x] Fixed #21398 -- Fixed BCryptSHA256PasswordHasher with py-bcrypt
and Python 3.
Thanks arjan at anymore.nl for the report.
Backport of d15985d81f from master
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/21398#comment:11>