[Django] #21535: Password hash iterations not updating.
Django
------------------------------+--------------------
Reporter: jared_mess | Owner: nobody
Type: Bug | Status: new
Component: contrib.auth | Version: 1.6
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Easy pickings: 1 | UI/UX: 0
------------------------------+--------------------
If you follow the steps in the
documentation:[https://docs.djangoproject.com/en/dev/topics/auth/passwords/]
to change the hash iterations through a subclass, the iterations don't
update.
This looks like a trivial fix.
In hashers.py, check_password(password, encoded, setter=None,
preferred='default'), it calls hasher.must_update instead of
preferred.must_update.
*This is my first bug report here. I've read through all the FAQ and
searched the bug DB, and couldn't find anything. If I've made a mistake,
broke a cardinal rule, please let me know.
--
Ticket URL: <https://code.djangoproject.com/ticket/21535>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: jared_mess | Owner: nobody
Type: Bug | Status: new
Component: contrib.auth | Version: 1.6
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
Changes (by timo):
* severity: Normal => Release blocker
* needs_better_patch: => 0
* needs_tests: => 0
* needs_docs: => 0
* has_patch: 0 => 1
* stage: Unreviewed => Accepted
Comment:
Thanks for the report. This looks like a mistake on our part in a new
feature in 1.6, so I'm marking it as a release blocker for 1.6.1.
Regarding "broke a cardinal rule", note that since this is security
related, it might have been better to report the issue
[https://docs.djangoproject.com/en/dev/internals/security/#reporting-
security-issues as outlined here]. In this case, there isn't any harm
since this isn't a vulnerability but rather causes actual security to be
lower than advertised.
I've added a [https://github.com/django/django/pull/2009 pull request]
with the fix you outlined as well as an updated test.
--
Ticket URL: <https://code.djangoproject.com/ticket/21535#comment:1>
Django
Reporter: jared_mess | Owner: nobody
Type: Bug | Status: closed
Component: contrib.auth | Version: 1.6
Severity: Release blocker | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 1 | UI/UX: 0
Changes (by Tim Graham <timograham@…>):
* status: new => closed
* resolution: => fixed
Comment:
In [changeset:"fddb0131d37109c809ec391e1a134ef1d9e442a7"]:
{{{
#!CommitTicketReference repository=""
revision="fddb0131d37109c809ec391e1a134ef1d9e442a7"
Fixed #21535 -- Fixed password hash iteration upgrade.
Thanks jared_mess for the report.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/21535#comment:2>
Django
Reporter: jared_mess | Owner: nobody
Type: Bug | Status: closed
Component: contrib.auth | Version: 1.6
Severity: Release blocker | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 1 | UI/UX: 0
Comment (by Tim Graham <timograham@…>):
In [changeset:"2f42bbaba739079713a555b9881ca5762ee0a0dc"]:
{{{
#!CommitTicketReference repository=""
revision="2f42bbaba739079713a555b9881ca5762ee0a0dc"
[1.6.x] Fixed #21535 -- Fixed password hash iteration upgrade.
Thanks jared_mess for the report.
Backport of fddb0131d3 from master
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/21535#comment:3>