innov
/
django1
1
0
Fork 0
Code Issues Pull Requests 1 Projects Releases Wiki Activity
29,835 Commits 25 Branches 361 Tags 501 MiB
Commit Graph

87 Commits

Author SHA1 Message Date
ryowright 1783b3cb24 Fixed #32275 -- Added scrypt password hasher. 
Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
 2021-07-22 12:40:33 +02:00
Mariusz Felisiak 83022d279c
Refs #32508 -- Raised TypeError/ValueError instead of using "assert" in encode() methods of some password hashers. 2021-07-22 09:42:07 +02:00
Mariusz Felisiak a948d9df39 Increased the default PBKDF2 iterations for Django 4.0. 2021-01-14 17:50:04 +01:00
Jon Moroney 76ae6ccf85 Fixed #31358 -- Increased salt entropy of password hashers. 
Co-authored-by: Florian Apolloner <florian@apolloner.eu>
 2021-01-14 11:20:28 +01:00
Florian Apolloner 64cc9dcdad Refs #31358 -- Added constant for get_random_string()'s default alphabet. 2021-01-13 20:40:40 +01:00
Florian Apolloner c76d51b3ad Refs #31358 -- Fixed decoding salt in Argon2PasswordHasher. 
Argon2 encodes the salt as base64 for representation in the final hash
output. To be able to accurately return the used salt from decode(),
add padding, b64decode, and decode from latin1 (for the remote
possibility that someone supplied a custom hash consisting solely of
bytes -- this would require a manual construction of the hash though,
Django's interface does not allow for that).
 2020-12-28 11:02:08 +01:00
Florian Apolloner 1b7086b2ea Refs #31358 -- Simplified Argon2PasswordHasher.must_update() by using decode(). 2020-12-28 11:02:03 +01:00
Jon Moroney 136ec9b62b Refs #31358 -- Added decode() to password hashers. 
By convention a hasher which does not use a salt should populate the
decode dict with `None` rather than omit the dict key.

Co-Authored-By: Florian Apolloner <apollo13@users.noreply.github.com>
 2020-06-23 08:36:59 +02:00
Florian Apolloner 1621f06051 Fixed #30472 -- Made Argon2PasswordHasher use Argon2id. 2020-06-17 08:10:41 +02:00
Florian Apolloner faad809e09 Refs #30472 -- Simplified Argon2PasswordHasher with argon2-cffi 19.1+ API. 2020-06-17 08:10:41 +02:00
Mariusz Felisiak f2187a227f Increased the default PBKDF2 iterations for Django 3.2. 2020-05-13 09:07:51 +02:00
Hasan Ramezani 8aa71f4e87 Fixed #31375 -- Made contrib.auth.hashers.make_password() accept only bytes or strings. 2020-03-31 10:52:56 +02:00
Claude Paroz e663f695fb Fixed #31359 -- Deprecated get_random_string() calls without an explicit length. 2020-03-11 13:16:44 +01:00
Carlton Gibson b5db65c4fb Increased the default PBKDF2 iterations for Django 3.1. 2019-09-12 17:24:01 +02:00
Nick Pope 24b82cd201 Fixed #30159 -- Removed unneeded use of OrderedDict. 
Dicts preserve order since Python 3.6.
 2019-02-06 13:48:39 -05:00
Tim Graham 06670015f7 Increased the default PBKDF2 iterations for Django 3.0. 2019-01-17 11:15:27 -05:00
Tim Graham 9792af3648 Increased the default PBKDF2 iterations for Django 2.2. 2018-05-17 11:05:45 -04:00
Tim Graham cae0107287 Increased the default PBKDF2 iterations for Django 2.1. 2018-05-13 20:06:20 -04:00
Tim Graham a4f0e9aec7 Fixed #28718 -- Allowed user to request a password reset if their password doesn't use an enabled hasher. 
Regression in aeb1389442.
Reverted changes to is_password_usable() from
703c266682 and documentation changes from
92f48680db.
 2018-03-22 10:03:43 -04:00
Tim Graham 56a302f338 Fixed #29141 -- Corrected BCryptPasswordHasher's docstring about truncation. 2018-02-26 14:07:38 -05:00
Jon Dufresne 16c5a334ff Refs #27795 -- Replaced force_text/bytes() with decode()/encode() in password hashers. 2018-02-01 12:36:21 -05:00
Дилян Палаузов d7b2aa24f7 Fixed #28982 -- Simplified code with and/or. 2018-01-03 20:12:23 -05:00
Claude Paroz c651331b34 Converted usage of ugettext* functions to their gettext* aliases 
Thanks Tim Graham for the review.
 2017-02-07 09:04:04 +01:00
Anton Samarchyan 5411821e3b Refs #27656 -- Updated django.contrib docstring verb style according to PEP 257. 2017-02-04 16:39:28 -05:00
Tim Graham 1c466994d9 Refs #23919 -- Removed misc Python 2/3 references. 2017-01-25 13:59:25 -05:00
Claude Paroz dc8834cad4 Refs #23919 -- Removed unneeded force_str calls 2017-01-20 08:44:31 +01:00
Simon Charette cecc079168 Refs #23919 -- Stopped inheriting from object to define new style classes. 2017-01-19 08:39:46 +01:00
Aymeric Augustin 3cc5f01d9b Refs #23919 -- Stopped using django.utils.lru_cache(). 2017-01-18 21:42:40 -05:00
Claude Paroz d7b9aaa366 Refs #23919 -- Removed encoding preambles and future imports 2017-01-18 09:55:19 +01:00
Tim Graham 0bf3228eec Increased the default PBKDF2 iterations for the 1.11 release cycle. 2017-01-17 20:52:05 -05:00
Tim Graham 967aa7f6cc Fixed #27010 -- Made Argon2PasswordHasher decode with ASCII. 
The underlying hasher only generates strings containing ASCII
characters so this is merely a cosmetic change.
 2016-08-04 10:57:37 -04:00
Tim Graham 1915a7e5c5 Increased the default PBKDF2 iterations. 2016-05-20 09:19:19 -04:00
Bas Westerbaan a5033dbc58 Refs #26033 -- Added password hasher support for Argon2 v1.3. 
The previous version of Argon2 uses encoded hashes of the form:
   $argon2d$m=8,t=1,p=1$<salt>$<data>

The new version of Argon2 adds its version into the hash:
   $argon2d$v=19$m=8,t=1,p=1$<salt>$<data>

This lets Django handle both version properly.
 2016-04-25 21:17:53 -04:00
Tim Graham 1243fdf5cb Fixed #26395 -- Skipped the CryptPasswordHasher tests on platforms with a dummy crypt module. 2016-03-22 11:22:21 -04:00
Bas Westerbaan b4250ea04a Fixed #26033 -- Added Argon2 password hasher. 2016-03-08 11:22:18 -05:00
Florian Apolloner 67b46ba701 Fixed CVE-2016-2513 -- Fixed user enumeration timing attack during login. 
This is a security fix.
 2016-03-01 11:25:28 -05:00
Tim Graham 926d41f0e7 Updated some comments for BCryptSHA256PasswordHasher. 2016-02-11 11:57:12 -05:00
Matt Robenolt 8048411c97 Fixed a typo in BCryptPasswordHasher docstring 
There is no BCryptSHA512PasswordHasher.
 2016-01-09 12:14:51 -05:00
Tim Graham f0ad641628 Fixed #26016 -- Restored contrib.auth hashers compatibility with py-bcrypt. 
Reverted "Explicitly passed rounds as rounds to bcrypt.gensalt()"

This reverts commit 23529fb195.
 2016-01-02 06:54:13 -05:00
Tim Graham 593c9eb660 Increased the default PBKDF2 iterations for the 1.10 release cycle. 2015-09-23 19:31:11 -04:00
Curtis Maloney 23529fb195 Explicitly passed rounds as rounds to bcrypt.gensalt() 2015-07-13 12:35:24 -04:00
Tim Graham b86abbceb9 Fixed #24115 -- Allowed bcrypt hashers to upgrade passwords on rounds change. 
Thanks Florian Apolloner for the review.
 2015-03-30 18:52:59 -04:00
Simon Charette 19f7278c86 Removed reference to iteration count in the PBKDF2 hasher docstring. 2015-02-20 16:37:29 -05:00
Frank Wiles e43f99d1a9 Fixed PBKDF2PasswordHasher comments to reflect reality. 2015-02-20 16:00:51 -05:00
Tim Graham 0ed7d15563 Sorted imports with isort; refs #23860. 2015-02-06 08:16:28 -05:00
Tim Graham c51258882b Increased the default PBKDF2 iterations. 2015-01-16 19:27:10 -05:00
Collin Anderson 5dddd79433 Fixed #20349 -- Moved setting_changed signal to django.core.signals. 
This removes the need to load django.test when not testing.
 2014-12-24 07:18:43 -05:00
Aymeric Augustin dca33ac15d Simplified caching of password hashers. 
load_hashers cached its result regardless of its password_hashers
argument which required fragile cache invalidation. Remove that
argument in favor of @override_settings and triggering cache
invalidation with a signal.
 2014-11-19 21:35:39 +01:00
Alex Gaynor 6732566967 Bump the default iterations for PBKDF2. 
The rate at which we've increased this has not been keeping up with hardware (and software) improvements, and we're now considerably behind where we should be. The delta between our performance and an optimized implementation's performance prevents us from improving that further, but hopefully once Python 2.7.8 and 3.4+ get into more hands we can more aggressively increase this number.
 2014-07-11 22:43:26 -07:00
Rodolfo Carvalho 0d91225892 Fixed many typos in comments and docstrings. 
Thanks Piotr Kasprzyk for help with the patch.
 2014-03-03 07:38:09 -05:00