Refs #31358 -- Added constant for get_random_string()'s default alphabet.

django/contrib/auth/hashers.py

@@ -10,7 +10,7 @@ from django.core.exceptions import ImproperlyConfigured
 from django.core.signals import setting_changed
 from django.dispatch import receiver
 from django.utils.crypto import (
-    constant_time_compare, get_random_string, pbkdf2,
+    RANDOM_STRING_CHARS, constant_time_compare, get_random_string, pbkdf2,
 )
 from django.utils.module_loading import import_string
 from django.utils.translation import gettext_noop as _
@@ -190,8 +190,8 @@ class BasePasswordHasher:
 
     def salt(self):
         """Generate a cryptographically secure nonce salt in ASCII."""
-        # 12 returns a 71-bit value, log_2((26+26+10)^12) =~ 71 bits
+        # 12 returns a 71-bit value, log_2(len(RANDOM_STRING_CHARS)^12) =~ 71 bits
-        return get_random_string(12)
+        return get_random_string(12, RANDOM_STRING_CHARS)
 
     def verify(self, password, encoded):
         """Check if the given password is correct."""

django/utils/crypto.py

@@ -47,14 +47,12 @@ def salted_hmac(key_salt, value, secret=None, *, algorithm='sha1'):
 
 
 NOT_PROVIDED = object()  # RemovedInDjango40Warning.
+RANDOM_STRING_CHARS = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
 
 
 # RemovedInDjango40Warning: when the deprecation ends, replace with:
-#   def get_random_string(length, allowed_chars='...'):
+#   def get_random_string(length, allowed_chars=RANDOM_STRING_CHARS):
-def get_random_string(length=NOT_PROVIDED, allowed_chars=(
+def get_random_string(length=NOT_PROVIDED, allowed_chars=RANDOM_STRING_CHARS):
-    'abcdefghijklmnopqrstuvwxyz'
-    'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
-)):
     """
     Return a securely generated random string.