[1.4.x] Fixed #18144 -- Added backwards compatibility with old unsalted MD5 passwords

Thanks apreobrazhensky at gmail.com for the report. Backport of 63d6a50dd from master.
2013-02-02 11:57:25 +01:00 · 2013-02-02 11:57:25 +01:00 · 6bd3896fcb
parent 89ba1b27b4
commit 6bd3896fcb
2 changed files with 9 additions and 1 deletions
--- a/django/contrib/auth/hashers.py
+++ b/django/contrib/auth/hashers.py
@ -35,7 +35,8 @@ def check_password(password, encoded, setter=None, preferred='default'):
    password = smart_str(password)
    encoded = smart_str(encoded)

-    if len(encoded) == 32 and '$' not in encoded:
+    if ((len(encoded) == 32 and '$' not in encoded) or
+            (len(encoded) == 37 and encoded.startswith('md5$$'))):
        hasher = get_hasher('unsalted_md5')
    else:
        algorithm = encoded.split('$', 1)[0]
@ -347,6 +348,8 @@ class UnsaltedMD5PasswordHasher(BasePasswordHasher):
        return hashlib.md5(password).hexdigest()

    def verify(self, password, encoded):
+        if len(encoded) == 37 and encoded.startswith('md5$$'):
+            encoded = encoded[5:]
        encoded_2 = self.encode(password, '')
        return constant_time_compare(encoded, encoded_2)

--- a/django/contrib/auth/tests/hashers.py
+++ b/django/contrib/auth/tests/hashers.py
@ -59,6 +59,11 @@ class TestUtilsHashPass(unittest.TestCase):
        self.assertTrue(is_password_usable(encoded))
        self.assertTrue(check_password(u'letmein', encoded))
        self.assertFalse(check_password('letmeinz', encoded))
+        # Alternate unsalted syntax
+        alt_encoded = "md5$$%s" % encoded
+        self.assertTrue(is_password_usable(alt_encoded))
+        self.assertTrue(check_password(u'letmein', alt_encoded))
+        self.assertFalse(check_password('letmeinz', alt_encoded))

    @skipUnless(crypt, "no crypt module to generate password.")
    def test_crypt(self):