3b79dab19a
Refs #33691 -- Deprecated insecure password hashers.
...
SHA1PasswordHasher, UnsaltedSHA1PasswordHasher, and UnsaltedMD5PasswordHasher
are now deprecated.
2022-07-23 21:29:31 +02:00
3c6f1fd1f8
Increased the default PBKDF2 iterations for Django 4.2.
2022-05-17 14:22:06 +02:00
02dbf1667c
Fixed #33691 -- Deprecated django.contrib.auth.hashers.CryptPasswordHasher.
2022-05-11 09:13:45 +02:00
9c19aff7c7
Refs #33476 -- Reformatted code with Black.
2022-02-07 20:37:05 +01:00
c5cd878382
Refs #33476 -- Refactored problematic code before reformatting by Black.
...
In these cases Black produces unexpected results, e.g.
def make_random_password(
self,
length=10,
allowed_chars='abcdefghjkmnpqrstuvwxyz' 'ABCDEFGHJKLMNPQRSTUVWXYZ' '23456789',
):
or
cursor.execute("""
SELECT ...
""",
[table name],
)
2022-02-03 11:20:46 +01:00
b0d16d0129
Changed signatures of setting_changed signal receivers.
2021-12-17 13:07:04 +01:00
d10c7bfe56
Fixed #28401 -- Allowed hashlib.md5() calls to work with FIPS kernels.
...
md5 is not an approved algorithm in FIPS mode, and trying to instantiate
a hashlib.md5() will fail when the system is running in FIPS mode.
md5 is allowed when in a non-security context. There is a plan to add a
keyword parameter (usedforsecurity) to hashlib.md5() to annotate whether
or not the instance is being used in a security context.
In the case where it is not, the instantiation of md5 will be allowed.
See https://bugs.python.org/issue9216 for more details.
Some downstream python versions already support this parameter. To
support these versions, a new encapsulation of md5() has been added.
This encapsulation will pass through the usedforsecurity parameter in
the case where the parameter is supported, and strip it if it is not.
Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2021-10-12 08:58:27 +02:00
5bac1719a2
Refs #32355 -- Used @functools.lru_cache as a straight decorator.
2021-09-27 09:10:58 +02:00
32b7ffc2bb
Increased the default PBKDF2 iterations for Django 4.1.
2021-09-20 21:23:01 +02:00
a7f27fca52
Refs #32508 -- Raised TypeError/ValueError instead of using "assert" in encode() methods of remaining password hashers.
2021-09-06 07:47:53 +02:00
1783b3cb24
Fixed #32275 -- Added scrypt password hasher.
...
Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2021-07-22 12:40:33 +02:00
83022d279c
Refs #32508 -- Raised TypeError/ValueError instead of using "assert" in encode() methods of some password hashers.
2021-07-22 09:42:07 +02:00
a948d9df39
Increased the default PBKDF2 iterations for Django 4.0.
2021-01-14 17:50:04 +01:00
76ae6ccf85
Fixed #31358 -- Increased salt entropy of password hashers.
...
Co-authored-by: Florian Apolloner <florian@apolloner.eu>
2021-01-14 11:20:28 +01:00
64cc9dcdad
Refs #31358 -- Added constant for get_random_string()'s default alphabet.
2021-01-13 20:40:40 +01:00
c76d51b3ad
Refs #31358 -- Fixed decoding salt in Argon2PasswordHasher.
...
Argon2 encodes the salt as base64 for representation in the final hash
output. To be able to accurately return the used salt from decode(),
add padding, b64decode, and decode from latin1 (for the remote
possibility that someone supplied a custom hash consisting solely of
bytes -- this would require a manual construction of the hash though,
Django's interface does not allow for that).
2020-12-28 11:02:08 +01:00
1b7086b2ea
Refs #31358 -- Simplified Argon2PasswordHasher.must_update() by using decode().
2020-12-28 11:02:03 +01:00
136ec9b62b
Refs #31358 -- Added decode() to password hashers.
...
By convention a hasher which does not use a salt should populate the
decode dict with `None` rather than omit the dict key.
Co-Authored-By: Florian Apolloner <apollo13@users.noreply.github.com>
2020-06-23 08:36:59 +02:00
1621f06051
Fixed #30472 -- Made Argon2PasswordHasher use Argon2id.
2020-06-17 08:10:41 +02:00
faad809e09
Refs #30472 -- Simplified Argon2PasswordHasher with argon2-cffi 19.1+ API.
2020-06-17 08:10:41 +02:00
f2187a227f
Increased the default PBKDF2 iterations for Django 3.2.
2020-05-13 09:07:51 +02:00
8aa71f4e87
Fixed #31375 -- Made contrib.auth.hashers.make_password() accept only bytes or strings.
2020-03-31 10:52:56 +02:00
e663f695fb
Fixed #31359 -- Deprecated get_random_string() calls without an explicit length.
2020-03-11 13:16:44 +01:00
b5db65c4fb
Increased the default PBKDF2 iterations for Django 3.1.
2019-09-12 17:24:01 +02:00
24b82cd201
Fixed #30159 -- Removed unneeded use of OrderedDict.
...
Dicts preserve order since Python 3.6.
2019-02-06 13:48:39 -05:00
06670015f7
Increased the default PBKDF2 iterations for Django 3.0.
2019-01-17 11:15:27 -05:00
9792af3648
Increased the default PBKDF2 iterations for Django 2.2.
2018-05-17 11:05:45 -04:00
cae0107287
Increased the default PBKDF2 iterations for Django 2.1.
2018-05-13 20:06:20 -04:00
a4f0e9aec7
Fixed #28718 -- Allowed user to request a password reset if their password doesn't use an enabled hasher.
...
Regression in aeb1389442703c26668292f48680db
2018-03-22 10:03:43 -04:00
56a302f338
Fixed #29141 -- Corrected BCryptPasswordHasher's docstring about truncation.
2018-02-26 14:07:38 -05:00
16c5a334ff
Refs #27795 -- Replaced force_text/bytes() with decode()/encode() in password hashers.
2018-02-01 12:36:21 -05:00
d7b2aa24f7
Fixed #28982 -- Simplified code with and/or.
2018-01-03 20:12:23 -05:00
c651331b34
Converted usage of ugettext* functions to their gettext* aliases
...
Thanks Tim Graham for the review.
2017-02-07 09:04:04 +01:00
5411821e3b
Refs #27656 -- Updated django.contrib docstring verb style according to PEP 257.
2017-02-04 16:39:28 -05:00
1c466994d9
Refs #23919 -- Removed misc Python 2/3 references.
2017-01-25 13:59:25 -05:00
dc8834cad4
Refs #23919 -- Removed unneeded force_str calls
2017-01-20 08:44:31 +01:00
cecc079168
Refs #23919 -- Stopped inheriting from object to define new style classes.
2017-01-19 08:39:46 +01:00
3cc5f01d9b
Refs #23919 -- Stopped using django.utils.lru_cache().
2017-01-18 21:42:40 -05:00
d7b9aaa366
Refs #23919 -- Removed encoding preambles and future imports
2017-01-18 09:55:19 +01:00
0bf3228eec
Increased the default PBKDF2 iterations for the 1.11 release cycle.
2017-01-17 20:52:05 -05:00
967aa7f6cc
Fixed #27010 -- Made Argon2PasswordHasher decode with ASCII.
...
The underlying hasher only generates strings containing ASCII
characters so this is merely a cosmetic change.
2016-08-04 10:57:37 -04:00
1915a7e5c5
Increased the default PBKDF2 iterations.
2016-05-20 09:19:19 -04:00
a5033dbc58
Refs #26033 -- Added password hasher support for Argon2 v1.3.
...
The previous version of Argon2 uses encoded hashes of the form:
$argon2d$m=8,t=1,p=1$<salt>$<data>
The new version of Argon2 adds its version into the hash:
$argon2d$v=19$m=8,t=1,p=1$<salt>$<data>
This lets Django handle both version properly.
2016-04-25 21:17:53 -04:00
1243fdf5cb
Fixed #26395 -- Skipped the CryptPasswordHasher tests on platforms with a dummy crypt module.
2016-03-22 11:22:21 -04:00
b4250ea04a
Fixed #26033 -- Added Argon2 password hasher.
2016-03-08 11:22:18 -05:00
67b46ba701
Fixed CVE-2016-2513 -- Fixed user enumeration timing attack during login.
...
This is a security fix.
2016-03-01 11:25:28 -05:00
926d41f0e7
Updated some comments for BCryptSHA256PasswordHasher.
2016-02-11 11:57:12 -05:00
8048411c97
Fixed a typo in BCryptPasswordHasher docstring
...
There is no BCryptSHA512PasswordHasher.
2016-01-09 12:14:51 -05:00
f0ad641628
Fixed #26016 -- Restored contrib.auth hashers compatibility with py-bcrypt.
...
Reverted "Explicitly passed rounds as rounds to bcrypt.gensalt()"
This reverts commit 23529fb195
2016-01-02 06:54:13 -05:00
593c9eb660
Increased the default PBKDF2 iterations for the 1.10 release cycle.
2015-09-23 19:31:11 -04:00
Claude Paroz
Carlton Gibson
Mariusz Felisiak
django-bot
Adam Johnson
Ade Lee
Mateo Radman
ryowright
Jon Moroney
Florian Apolloner
Hasan Ramezani
Nick Pope
Tim Graham
Jon Dufresne
Дилян Палаузов
Anton Samarchyan
Simon Charette
Aymeric Augustin
Bas Westerbaan
Matt Robenolt