Refs #27468 -- Made PasswordResetTokenGenerator use SHA-256 algorithm.

2020-01-17 10:09:55 +01:00 · 2020-01-17 10:09:55 +01:00 · da4923ea87
parent 27f67317da
commit da4923ea87
4 changed files with 31 additions and 2 deletions
--- a/django/contrib/auth/tokens.py
+++ b/django/contrib/auth/tokens.py
@ -11,6 +11,7 @@ class PasswordResetTokenGenerator:
    reset mechanism.
    """
    key_salt = "django.contrib.auth.tokens.PasswordResetTokenGenerator"
+    algorithm = 'sha256'
    secret = settings.SECRET_KEY

    def make_token(self, user):
@ -39,7 +40,14 @@ class PasswordResetTokenGenerator:

        # Check that the timestamp/uid has not been tampered with
        if not constant_time_compare(self._make_token_with_timestamp(user, ts), token):
-            return False
+            # RemovedInDjango40Warning: when the deprecation ends, replace
+            # with:
+            #   return False
+            if not constant_time_compare(
+                self._make_token_with_timestamp(user, ts, legacy=True),
+                token,
+            ):
+                return False

        # Check the timestamp is within limit.
        if (self._num_seconds(self._now()) - ts) > settings.PASSWORD_RESET_TIMEOUT:
@ -47,7 +55,7 @@ class PasswordResetTokenGenerator:

        return True

-    def _make_token_with_timestamp(self, user, timestamp):
+    def _make_token_with_timestamp(self, user, timestamp, legacy=False):
        # timestamp is number of seconds since 2001-1-1. Converted to base 36,
        # this gives us a 6 digit string until about 2069.
        ts_b36 = int_to_base36(timestamp)
@ -55,6 +63,10 @@ class PasswordResetTokenGenerator:
            self.key_salt,
            self._make_hash_value(user, timestamp),
            secret=self.secret,
+            # RemovedInDjango40Warning: when the deprecation ends, remove the
+            # legacy argument and replace with:
+            #   algorithm=self.algorithm,
+            algorithm='sha1' if legacy else self.algorithm,
        ).hexdigest()[::2]  # Limit to 20 characters to shorten the URL.
        return "%s-%s" % (ts_b36, hash_string)

--- a/docs/internals/deprecation.txt
+++ b/docs/internals/deprecation.txt
@ -49,6 +49,9 @@ details on these changes.
 * Support for the pre-Django 3.1 encoding format of cookies values used by
  ``django.contrib.messages.storage.cookie.CookieStorage`` will be removed.

+* Support for the pre-Django 3.1 password reset tokens in the admin site (that
+  use the SHA-1 hashing algorithm) will be removed.
+
 See the :ref:`Django 3.1 release notes <deprecated-features-3.1>` for more
 details on these changes.

--- a/docs/releases/3.1.txt
+++ b/docs/releases/3.1.txt
@ -56,6 +56,9 @@ Minor features
  instead of deprecated ``PASSWORD_RESET_TIMEOUT_DAYS``, which will be removed
  in Django 4.0.

+* The password reset mechanism now uses the SHA-256 hashing algorithm. Support
+  for tokens that use the old hashing algorithm remains until Django 4.0.
+
 :mod:`django.contrib.contenttypes`
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

--- a/tests/auth_tests/test_tokens.py
+++ b/tests/auth_tests/test_tokens.py
@ -86,3 +86,14 @@ class TokenGeneratorTest(TestCase):
        # Tokens created with a different secret don't validate.
        self.assertIs(p0.check_token(user, tk1), False)
        self.assertIs(p1.check_token(user, tk0), False)
+
+    def test_legacy_token_validation(self):
+        # RemovedInDjango40Warning: pre-Django 3.1 tokens will be invalid.
+        user = User.objects.create_user('tokentestuser', 'test2@example.com', 'testpw')
+        p_old_generator = PasswordResetTokenGenerator()
+        p_old_generator.algorithm = 'sha1'
+        p_new_generator = PasswordResetTokenGenerator()
+
+        legacy_token = p_old_generator.make_token(user)
+        self.assertIs(p_old_generator.check_token(user, legacy_token), True)
+        self.assertIs(p_new_generator.check_token(user, legacy_token), True)