#3316: Adding `crypt' to list of password hashes for legacy apps.
-----------------------------+----------------------------------------------
Reporter: [EMAIL PROTECTED] | Owner: adrian
Status: new | Component: Contrib apps
Version: SVN | Resolution:
Keywords: | Stage: Design decision needed
Has_patch: 1 | Needs_docs: 1
Needs_tests: 1 | Needs_better_patch: 0
-----------------------------+----------------------------------------------
Comment (by Simon G. <[EMAIL PROTECTED]>):
Yes, I was really just thinking out loud, but I don't think there'll be
any security issues - If someone tries to smuggle in some code in the
"algo" slot, then __import__ will fail (e.g. my hashing algorithm is
called 'md5;print "fudge"') and raise an ImportError.
An attacker could create a new module (with new() doing something
malicious), but this would require them to get the module into an
importable location, and get the hashing algo to match that - I *think*
this is impossible.
I could be wrong (shared hosting situations come to mind).
If we did want to go down this path, then you could always have a
SAFE_HASHERS list, which could be added to in settings.py
--
Ticket URL: <http://code.djangoproject.com/ticket/3316#comment:6>
Django Code <http://code.djangoproject.com/>
The web framework for perfectionists with deadlines
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---
