Added documentation for r17418. Refs #17481.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@17513 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-02-12 14:29:30 +00:00 · 2012-02-12 14:29:30 +00:00 · 61fe50fdd6
parent 1c9c29b5b2
commit 61fe50fdd6
1 changed files with 16 additions and 1 deletions
--- a/docs/releases/1.4-beta-1.txt
+++ b/docs/releases/1.4-beta-1.txt
@ -115,6 +115,21 @@ details, see :ref:`auth_password_storage`.
 .. _nist: http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf
 .. _bcrypt: http://en.wikipedia.org/wiki/Bcrypt

+.. warning::
+
+    Django 1.4 alpha contained a bug that corrupted PBKDF2 hashes. To
+    determine which accounts are affected, run :djadmin:`manage.py shell
+    <shell>` and paste this snippet::
+
+        from base64 import b64decode
+        from django.contrib.auth.models import User
+        hash_len = {'pbkdf2_sha1': 20, 'pbkdf2_sha256': 32}
+        for user in User.objects.filter(password__startswith='pbkdf2_'):
+            algo, _, _, hash = user.password.split('$')
+            if len(b64decode(hash)) != hash_len[algo]:
+                print user
+
+    These users should reset their passwords.

 HTML5 Doctype
 ~~~~~~~~~~~~~
@ -557,7 +572,7 @@ Django 1.4 also includes several smaller improvements worth noting:

 * New phrases added to ``HIDDEN_SETTINGS`` regex in `django/views/debug.py`_.

-  ``'API'``, ``'TOKEN'``, ``'KEY'`` were added, ``'PASSWORD'`` was changed to 
+  ``'API'``, ``'TOKEN'``, ``'KEY'`` were added, ``'PASSWORD'`` was changed to
  ``'PASS'``.

 .. _django/views/debug.py: http://code.djangoproject.com/browser/django/trunk/django/views/debug.py