#18144: MD5PasswordHasher: broken backwards compatibility with empty salt
-------------------------------------+-------------------------------------
Reporter: apreobrazhensky@… | Owner: nobody
Type: Bug | Status: new
Component: contrib.auth | Version: 1.4
Severity: Release blocker | Resolution:
Keywords: MD5PasswordHasher | Triage Stage: Accepted
check_password salt | Needs documentation: 0
Has patch: 1 | Patch needs improvement: 1
Needs tests: 0 | UI/UX: 0
Easy pickings: 0 |
-------------------------------------+-------------------------------------
Comment (by aaugustin):
Here are the schemes accepted and generated by Django over time.
||=Version=||=Read=||=Written=||=Code=||
||=0.90=||unsalted MD5||unsalted
MD5||https://github.com/django/django/blob/stable/0.90.x/django/models/auth.py#L80-L87||
||=0.91=||unsalted MD5, unsalted SHA1, salted SHA1||salted SHA1, with
automatic upgrade of unsalted
MD5||https://github.com/django/django/blob/stable/0.91.x/django/models/auth.py#L80-L109||
||=0.95=||unsalted MD5, unsalted SHA1, salted SHA1||salted SHA1, with
automatic upgrade of unsalted
MD5||https://github.com/django/django/blob/stable/0.95.x/django/contrib/auth/models.py#L140-L162
https://github.com/django/django/blob/stable/0.95.x/django/contrib/auth/models.py#L8-L20||
||=0.96=||unsalted MD5, unsalted SHA1, salted SHA1||salted SHA1, with
automatic upgrade of unsalted
MD5||https://github.com/django/django/blob/stable/0.96.x/django/contrib/auth/models.py#L140-L162
https://github.com/django/django/blob/stable/0.96.x/django/contrib/auth/models.py#L8-L20||
||=1.0=||unsalted MD5, unsalted SHA1, salted SHA1, salted crypt (if
supported by Python)||salted SHA1, with automatic upgrade of unsalted
MD5||https://github.com/django/django/blob/stable/1.0.x/django/contrib/auth/models.py#L176-L204
https://github.com/django/django/blob/stable/1.0.x/django/contrib/auth/models.py#L18-L54||
||=1.1=||unsalted MD5, unsalted SHA1, salted SHA1, salted crypt (if
supported by Python)||salted SHA1, with automatic upgrade of unsalted
MD5||https://github.com/django/django/blob/stable/1.1.x/django/contrib/auth/models.py#L183-L211
https://github.com/django/django/blob/stable/1.1.x/django/contrib/auth/models.py#L20-L45||
||=1.2=||unsalted MD5, unsalted SHA1, salted SHA1, salted crypt (if
supported by Python)||salted SHA1, with automatic upgrade of unsalted
MD5||https://github.com/django/django/blob/stable/1.2.x/django/contrib/auth/models.py#L236-L271
https://github.com/django/django/blob/stable/1.2.x/django/contrib/auth/models.py#L16-L41||
||=1.3=||unsalted MD5, unsalted SHA1, salted SHA1, salted crypt (if
supported by Python)||salted SHA1, with automatic upgrade of unsalted
MD5||https://github.com/django/django/blob/stable/1.3.x/django/contrib/auth/models.py#L251-L286
https://github.com/django/django/blob/stable/1.3.x/django/contrib/auth/models.py#L16-L43||
The new password hashing was added in 1.4.
--
Ticket URL: <https://code.djangoproject.com/ticket/18144#comment:18>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
