#18144: MD5PasswordHasher: broken backwards compatibility with empty salt
-------------------------------------+-------------------------------------
Reporter: apreobrazhensky@… | Owner: nobody
Type: Bug | Status: new
Component: contrib.auth | Version: 1.4
Severity: Release blocker | Resolution:
Keywords: MD5PasswordHasher | Triage Stage: Accepted
check_password salt | Needs documentation: 0
Has patch: 1 | Patch needs improvement: 1
Needs tests: 0 | UI/UX: 0
Easy pickings: 0 |
-------------------------------------+-------------------------------------
Comment (by aaugustin):
I just realized "unsalted passwords" can mean two things: just a plain
SHA1 hash, or `sha1$$` followed by a SHA1 hash. The request here is to
handle the latter. Historically, Django hasn't checked that the salt isn't
empty; now it does, and that's described as a regression here.
Django never generated such hashes and there's no reason to find them in a
auth_user table. But that argument also applies to hashes starting with
`md5$$`, and code was added to support that.
Personally I would have wontfix'd the ticket rather that add code to
support dubious schemes that Django never generated. But it would be
inconsistent to refuse for SHA1 what was accepted for MD5, so at this
point, I'll refrain from closing the ticket or changing its "release
blocker" status.
--
Ticket URL: <https://code.djangoproject.com/ticket/18144#comment:19>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
