From da4923ea87124102aae4455e947ce24599c0365b Mon Sep 17 00:00:00 2001 From: Claude Paroz Date: Fri, 17 Jan 2020 10:09:55 +0100 Subject: [PATCH] Refs #27468 -- Made PasswordResetTokenGenerator use SHA-256 algorithm. --- django/contrib/auth/tokens.py | 16 ++++++++++++++-- docs/internals/deprecation.txt | 3 +++ docs/releases/3.1.txt | 3 +++ tests/auth_tests/test_tokens.py | 11 +++++++++++ 4 files changed, 31 insertions(+), 2 deletions(-) diff --git a/django/contrib/auth/tokens.py b/django/contrib/auth/tokens.py index c4f2641003..15a3b0ce88 100644 --- a/django/contrib/auth/tokens.py +++ b/django/contrib/auth/tokens.py @@ -11,6 +11,7 @@ class PasswordResetTokenGenerator: reset mechanism. """ key_salt = "django.contrib.auth.tokens.PasswordResetTokenGenerator" + algorithm = 'sha256' secret = settings.SECRET_KEY def make_token(self, user): @@ -39,7 +40,14 @@ class PasswordResetTokenGenerator: # Check that the timestamp/uid has not been tampered with if not constant_time_compare(self._make_token_with_timestamp(user, ts), token): - return False + # RemovedInDjango40Warning: when the deprecation ends, replace + # with: + # return False + if not constant_time_compare( + self._make_token_with_timestamp(user, ts, legacy=True), + token, + ): + return False # Check the timestamp is within limit. if (self._num_seconds(self._now()) - ts) > settings.PASSWORD_RESET_TIMEOUT: @@ -47,7 +55,7 @@ class PasswordResetTokenGenerator: return True - def _make_token_with_timestamp(self, user, timestamp): + def _make_token_with_timestamp(self, user, timestamp, legacy=False): # timestamp is number of seconds since 2001-1-1. Converted to base 36, # this gives us a 6 digit string until about 2069. ts_b36 = int_to_base36(timestamp) @@ -55,6 +63,10 @@ class PasswordResetTokenGenerator: self.key_salt, self._make_hash_value(user, timestamp), secret=self.secret, + # RemovedInDjango40Warning: when the deprecation ends, remove the + # legacy argument and replace with: + # algorithm=self.algorithm, + algorithm='sha1' if legacy else self.algorithm, ).hexdigest()[::2] # Limit to 20 characters to shorten the URL. return "%s-%s" % (ts_b36, hash_string) diff --git a/docs/internals/deprecation.txt b/docs/internals/deprecation.txt index db6df0fbbe..6b94bc1a3a 100644 --- a/docs/internals/deprecation.txt +++ b/docs/internals/deprecation.txt @@ -49,6 +49,9 @@ details on these changes. * Support for the pre-Django 3.1 encoding format of cookies values used by ``django.contrib.messages.storage.cookie.CookieStorage`` will be removed. +* Support for the pre-Django 3.1 password reset tokens in the admin site (that + use the SHA-1 hashing algorithm) will be removed. + See the :ref:`Django 3.1 release notes ` for more details on these changes. diff --git a/docs/releases/3.1.txt b/docs/releases/3.1.txt index 6bf57e0de3..df7aad8dd2 100644 --- a/docs/releases/3.1.txt +++ b/docs/releases/3.1.txt @@ -56,6 +56,9 @@ Minor features instead of deprecated ``PASSWORD_RESET_TIMEOUT_DAYS``, which will be removed in Django 4.0. +* The password reset mechanism now uses the SHA-256 hashing algorithm. Support + for tokens that use the old hashing algorithm remains until Django 4.0. + :mod:`django.contrib.contenttypes` ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/tests/auth_tests/test_tokens.py b/tests/auth_tests/test_tokens.py index 937fb7f598..5ac242db29 100644 --- a/tests/auth_tests/test_tokens.py +++ b/tests/auth_tests/test_tokens.py @@ -86,3 +86,14 @@ class TokenGeneratorTest(TestCase): # Tokens created with a different secret don't validate. self.assertIs(p0.check_token(user, tk1), False) self.assertIs(p1.check_token(user, tk0), False) + + def test_legacy_token_validation(self): + # RemovedInDjango40Warning: pre-Django 3.1 tokens will be invalid. + user = User.objects.create_user('tokentestuser', 'test2@example.com', 'testpw') + p_old_generator = PasswordResetTokenGenerator() + p_old_generator.algorithm = 'sha1' + p_new_generator = PasswordResetTokenGenerator() + + legacy_token = p_old_generator.make_token(user) + self.assertIs(p_old_generator.check_token(user, legacy_token), True) + self.assertIs(p_new_generator.check_token(user, legacy_token), True)