md5 is not an approved algorithm in FIPS mode, and trying to instantiate
a hashlib.md5() will fail when the system is running in FIPS mode.
md5 is allowed when in a non-security context. There is a plan to add a
keyword parameter (usedforsecurity) to hashlib.md5() to annotate whether
or not the instance is being used in a security context.
In the case where it is not, the instantiation of md5 will be allowed.
See https://bugs.python.org/issue9216 for more details.
Some downstream python versions already support this parameter. To
support these versions, a new encapsulation of md5() has been added.
This encapsulation will pass through the usedforsecurity parameter in
the case where the parameter is supported, and strip it if it is not.
Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
Django apps initialization to run management command triggers the admin
autodiscovery. Importing django.contrib.auth.tokens creates an instance
of PasswordResetTokenGenerator which required a SECRET_KEY.
For several management commands, the token generator is unused. It
should only complain about a missing SECRET_KEY when it is used.
Deferred accessing the module-global variable __file__ because the
Python import API does not guarantee it always exists—in particular, it
does not exist in certain "frozen" environments. The following changes
advanced this goal.
Thanks to Carlton Gibson, Tom Forbes, Mariusz Felisiak, and Shreyas
Ravi for review and feedback.
Argon2 encodes the salt as base64 for representation in the final hash
output. To be able to accurately return the used salt from decode(),
add padding, b64decode, and decode from latin1 (for the remote
possibility that someone supplied a custom hash consisting solely of
bytes -- this would require a manual construction of the hash though,
Django's interface does not allow for that).
This caused permission errors when user didn't have permissions to
all intermediate directories in a Django installation path.
Thanks tytusd and leonyxz for reports.
Regression in edeec1247e and
26554cf5d1.
It's a transitional setting helpful in migrating multiple instance of
the same project to Django 3.1+.
Thanks Markus Holtermann for the report and review, Florian
Apolloner for the implementation idea and review, and Carlton Gibson
for the review.
Used app config to lookup user model in _create_user().
Thanks Markus Holtermann for the review and initial patch.
Thanks Simon Charette for the implementation idea.
Ade Lee
Christophe Henry
Mariusz Felisiak
Mateo Radman
Premkumar Chalmeti
David Smith
ryowright
Claude Paroz
abhiabhi94
David Sanders
David Wobrock
François Freitag
William Schwartz
Hasan Ramezani
ThinkChaos
Jon Moroney
Florian Apolloner
Tom Forbes
Timo Ludwig
Martin Thoma
Jacob Walls
Hannes Ljungberg
Phil Gyford
Yan Mitrofanov
Florian Apolloner
Aymeric Augustin
Frantisek Holop