Commit Graph

62 Commits

Author SHA1 Message Date
Claude Paroz dc8834cad4 Refs #23919 -- Removed unneeded force_str calls 2017-01-20 08:44:31 +01:00
Simon Charette cecc079168 Refs #23919 -- Stopped inheriting from object to define new style classes. 2017-01-19 08:39:46 +01:00
Aymeric Augustin 3cc5f01d9b Refs #23919 -- Stopped using django.utils.lru_cache(). 2017-01-18 21:42:40 -05:00
Claude Paroz d7b9aaa366 Refs #23919 -- Removed encoding preambles and future imports 2017-01-18 09:55:19 +01:00
Tim Graham 0bf3228eec Increased the default PBKDF2 iterations for the 1.11 release cycle. 2017-01-17 20:52:05 -05:00
Tim Graham 967aa7f6cc Fixed #27010 -- Made Argon2PasswordHasher decode with ASCII.
The underlying hasher only generates strings containing ASCII
characters so this is merely a cosmetic change.
2016-08-04 10:57:37 -04:00
Tim Graham 1915a7e5c5 Increased the default PBKDF2 iterations. 2016-05-20 09:19:19 -04:00
Bas Westerbaan a5033dbc58 Refs #26033 -- Added password hasher support for Argon2 v1.3.
The previous version of Argon2 uses encoded hashes of the form:
   $argon2d$m=8,t=1,p=1$<salt>$<data>

The new version of Argon2 adds its version into the hash:
   $argon2d$v=19$m=8,t=1,p=1$<salt>$<data>

This lets Django handle both version properly.
2016-04-25 21:17:53 -04:00
Tim Graham 1243fdf5cb Fixed #26395 -- Skipped the CryptPasswordHasher tests on platforms with a dummy crypt module. 2016-03-22 11:22:21 -04:00
Bas Westerbaan b4250ea04a Fixed #26033 -- Added Argon2 password hasher. 2016-03-08 11:22:18 -05:00
Florian Apolloner 67b46ba701 Fixed CVE-2016-2513 -- Fixed user enumeration timing attack during login.
This is a security fix.
2016-03-01 11:25:28 -05:00
Tim Graham 926d41f0e7 Updated some comments for BCryptSHA256PasswordHasher. 2016-02-11 11:57:12 -05:00
Matt Robenolt 8048411c97 Fixed a typo in BCryptPasswordHasher docstring
There is no BCryptSHA512PasswordHasher.
2016-01-09 12:14:51 -05:00
Tim Graham f0ad641628 Fixed #26016 -- Restored contrib.auth hashers compatibility with py-bcrypt.
Reverted "Explicitly passed rounds as rounds to bcrypt.gensalt()"

This reverts commit 23529fb195.
2016-01-02 06:54:13 -05:00
Tim Graham 593c9eb660 Increased the default PBKDF2 iterations for the 1.10 release cycle. 2015-09-23 19:31:11 -04:00
Curtis Maloney 23529fb195 Explicitly passed rounds as rounds to bcrypt.gensalt() 2015-07-13 12:35:24 -04:00
Tim Graham b86abbceb9 Fixed #24115 -- Allowed bcrypt hashers to upgrade passwords on rounds change.
Thanks Florian Apolloner for the review.
2015-03-30 18:52:59 -04:00
Simon Charette 19f7278c86 Removed reference to iteration count in the PBKDF2 hasher docstring. 2015-02-20 16:37:29 -05:00
Frank Wiles e43f99d1a9 Fixed PBKDF2PasswordHasher comments to reflect reality. 2015-02-20 16:00:51 -05:00
Tim Graham 0ed7d15563 Sorted imports with isort; refs #23860. 2015-02-06 08:16:28 -05:00
Tim Graham c51258882b Increased the default PBKDF2 iterations. 2015-01-16 19:27:10 -05:00
Collin Anderson 5dddd79433 Fixed #20349 -- Moved setting_changed signal to django.core.signals.
This removes the need to load django.test when not testing.
2014-12-24 07:18:43 -05:00
Aymeric Augustin dca33ac15d Simplified caching of password hashers.
load_hashers cached its result regardless of its password_hashers
argument which required fragile cache invalidation. Remove that
argument in favor of @override_settings and triggering cache
invalidation with a signal.
2014-11-19 21:35:39 +01:00
Alex Gaynor 6732566967 Bump the default iterations for PBKDF2.
The rate at which we've increased this has not been keeping up with hardware (and software) improvements, and we're now considerably behind where we should be. The delta between our performance and an optimized implementation's performance prevents us from improving that further, but hopefully once Python 2.7.8 and 3.4+ get into more hands we can more aggressively increase this number.
2014-07-11 22:43:26 -07:00
Rodolfo Carvalho 0d91225892 Fixed many typos in comments and docstrings.
Thanks Piotr Kasprzyk for help with the patch.
2014-03-03 07:38:09 -05:00
Berker Peksag 5d263dee30 Fixed #21674 -- Deprecated the import_by_path() function in favor of import_string().
Thanks Aymeric Augustin for the suggestion and review.
2014-02-08 11:12:19 -05:00
Tim Graham fddb0131d3 Fixed #21535 -- Fixed password hash iteration upgrade.
Thanks jared_mess for the report.
2013-11-30 14:18:37 -05:00
Tim Graham d15985d81f Fixed #21398 -- Fixed BCryptSHA256PasswordHasher with py-bcrypt and Python 3.
Thanks arjan at anymore.nl for the report.
2013-11-09 10:11:50 -05:00
Florian Apolloner 7d0d0dbf26 Force update of the password on iteration count changes. 2013-10-21 20:31:28 +02:00
Tim Graham 1dae4ac177 Whitespace cleanup.
* Removed trailing whitespace.
* Added newline to EOF if missing.
* Removed blank lines at EOF.
* Removed some stray tabs.
2013-10-10 16:49:20 -04:00
Florian Apolloner 5d74853e15 Revert "Ensure that passwords are never long enough for a DoS."
This reverts commit aae5a96d57.

This fix is no longer necessary, our pbkdf2 (see next commit) implementation
no longer rehashes the password every iteration.
2013-09-24 21:01:21 +02:00
Paul McMillan a075e2ad0d Increase default PBKDF2 iterations
Increases the default PBKDF2 iterations, since computers have gotten
faster since 2011. In the future, we plan to increment by 10% per
major version.
2013-09-19 18:02:25 +01:00
Russell Keith-Magee aae5a96d57 Ensure that passwords are never long enough for a DoS.
* Limit the password length to 4096 bytes
  * Password hashers will raise a ValueError
  * django.contrib.auth forms will fail validation
* Document in release notes that this is a backwards incompatible change

Thanks to Josh Wright for the report, and Donald Stufft for the patch.

This is a security fix; disclosure to follow shortly.
2013-09-15 13:42:23 +08:00
Gregor MacGregor b2b763448f Fixed #20841 -- Added messages to NotImplementedErrors
Thanks joseph at vertstudios.com for the suggestion.
2013-09-10 11:09:59 -04:00
Tim Graham c7d0ff0cad Fixed #20989 -- Removed explicit list comprehension inside dict() and tuple()
Thanks jeroen.pulles at redslider.net for the suggestion and
helper script.
2013-08-29 12:11:03 -04:00
Alex Gaynor 3e0eb2d788 Fixed a number of lint warnings, particularly around unused variables. 2013-08-04 09:17:10 -07:00
Curtis Maloney 07876cf02b Deprecated SortedDict (replaced with collections.OrderedDict)
Thanks Loic Bistuer for the review.
2013-08-04 07:09:39 -04:00
Claude Paroz fdd7a355bf Deprecated django.utils.importlib
This was a shim for pre-Python 2.7 support.
2013-07-29 17:10:22 +02:00
Simon Charette 8759778185 Fixed #20675 -- `check_password` should work when no password is specified.
The regression was introduced by 2c4fe761a. refs #20593.
2013-07-03 14:09:58 -04:00
Erik Romijn aeb1389442 Fixed #20079 -- Improve security of password reset tokens 2013-06-18 20:02:00 +02:00
Erik Romijn 2c4fe761a0 Fixed #20593 -- Allow blank passwords in check_password() and set_password() 2013-06-18 13:32:54 -04:00
Jaap Roes 990f8d92dc Fixed #20599 -- Changed wording of ValueError raised by _load_library
The _load_library method on BasePasswordHasher turns ImportErrors
into ValueErrors, this masks ImportErrors in the algorithm library.
Changed it to a clearer worded error message that includes
the ImportError string.
2013-06-15 10:50:55 +02:00
Donald Stufft 8f0a4665d6 Recommend using the bcrypt library instead of py-bcrypt
* py-bcrypt has not been updated in some time
* py-bcrypt does not support Python3
* py3k-bcrypt, a port of py-bcrypt to python3 is not compatible
  with Django
* bcrypt is supported on all versions of Python that Django
  supports
2013-05-13 23:49:00 -04:00
Donald Stufft 3070e8f711 Properly force bytes or str for bcrypt on Python3 2013-05-11 11:16:06 -04:00
Donald Stufft 25f2acfed0 Fixed #20138 -- Added BCryptSHA256PasswordHasher
BCryptSHA256PasswordHasher pre-hashes the users password using
SHA256 to prevent the 72 byte truncation inherient in the BCrypt
algorithm.
2013-03-26 13:26:57 -04:00
Aymeric Augustin f1255a3c09 Fixed #18144 -- Restored compatibility with SHA1 hashes with empty salt.
Thanks dahool for the report and initial version of the patch.
2013-02-25 20:21:58 +01:00
Claude Paroz 7c5b244826 Fixed #17061 -- Factored out importing object from a dotted path
Thanks Carl Meyer for the report.
2013-02-04 16:38:25 +01:00
Claude Paroz 1f8e7bb075 Added missing parentheses in if clause 2013-02-02 12:13:47 +01:00
Claude Paroz 63d6a50dd8 Fixed #18144 -- Added backwards compatibility with old unsalted MD5 passwords
Thanks apreobrazhensky at gmail.com for the report.
2013-02-02 12:02:36 +01:00
Claude Paroz 0dc3fc954f Fixed #19509 -- Fixed crypt/bcrypt non-ascii password encoding
Also systematically added non-ascii passwords in hashers test suite.
Thanks Vaal for the report.
2012-12-22 16:04:10 +01:00