Fix a security issue in the auth system. Disclosure and new release forthcoming.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15032 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
parent
732198ed5c
commit
6819be1ea1
|
@ -72,3 +72,14 @@ class TokenGeneratorTest(TestCase):
|
||||||
p0 = PasswordResetTokenGenerator()
|
p0 = PasswordResetTokenGenerator()
|
||||||
tk1 = _make_token(user)
|
tk1 = _make_token(user)
|
||||||
self.assertTrue(p0.check_token(user, tk1))
|
self.assertTrue(p0.check_token(user, tk1))
|
||||||
|
|
||||||
|
def test_date_length(self):
|
||||||
|
"""
|
||||||
|
Make sure we don't allow overly long dates, causing a potential DoS.
|
||||||
|
"""
|
||||||
|
user = User.objects.create_user('ima1337h4x0r', 'test4@example.com', 'p4ssw0rd')
|
||||||
|
p0 = PasswordResetTokenGenerator()
|
||||||
|
|
||||||
|
# This will put a 14-digit base36 timestamp into the token, which is too large.
|
||||||
|
tk1 = p0._make_token_with_timestamp(user, 175455491841851871349)
|
||||||
|
self.assertFalse(p0.check_token(user, tk1))
|
||||||
|
|
|
@ -11,7 +11,7 @@ urlpatterns = patterns('',
|
||||||
(r'^password_change/done/$', 'django.contrib.auth.views.password_change_done'),
|
(r'^password_change/done/$', 'django.contrib.auth.views.password_change_done'),
|
||||||
(r'^password_reset/$', 'django.contrib.auth.views.password_reset'),
|
(r'^password_reset/$', 'django.contrib.auth.views.password_reset'),
|
||||||
(r'^password_reset/done/$', 'django.contrib.auth.views.password_reset_done'),
|
(r'^password_reset/done/$', 'django.contrib.auth.views.password_reset_done'),
|
||||||
(r'^reset/(?P<uidb36>[0-9A-Za-z]+)-(?P<token>.+)/$', 'django.contrib.auth.views.password_reset_confirm'),
|
(r'^reset/(?P<uidb36>[0-9A-Za-z]{1,13})-(?P<token>[0-9A-Za-z]{1,13}-[0-9A-Za-z]{1,20})/$', 'django.contrib.auth.views.password_reset_confirm'),
|
||||||
(r'^reset/done/$', 'django.contrib.auth.views.password_reset_complete'),
|
(r'^reset/done/$', 'django.contrib.auth.views.password_reset_complete'),
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
|
@ -73,8 +73,13 @@ def http_date(epoch_seconds=None):
|
||||||
|
|
||||||
def base36_to_int(s):
|
def base36_to_int(s):
|
||||||
"""
|
"""
|
||||||
Convertd a base 36 string to an integer
|
Converts a base 36 string to an ``int``. To prevent
|
||||||
|
overconsumption of server resources, raises ``ValueError` if the
|
||||||
|
input is longer than 13 base36 digits (13 digits is sufficient to
|
||||||
|
base36-encode any 64-bit integer).
|
||||||
"""
|
"""
|
||||||
|
if len(s) > 13:
|
||||||
|
raise ValueError("Base36 input too large")
|
||||||
return int(s, 36)
|
return int(s, 36)
|
||||||
|
|
||||||
def int_to_base36(i):
|
def int_to_base36(i):
|
||||||
|
|
Loading…
Reference in New Issue