#20079: Improve security of password reset tokens
------------------------------+------------------------------------
Reporter: jacob | Owner: viciu
Type: Bug | Status: assigned
Component: contrib.auth | Version: master
Severity: Normal | Resolution:
Keywords: dceu13 | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
------------------------------+------------------------------------
Changes (by erikr):
* keywords: => dceu13
* needs_better_patch: 0 => 1
* has_patch: 0 => 1
* version: 1.5 => master
* cc: eromijn@… (added)
Comment:
Two comments:
* The test does not check the new feature ("passwords always include
entropy") - if I apply your test but, not the implementation, the test
succeeds.
* The admin_views tests contain several checks that a set password is not
equal to UNUSABLE_PASSWORD; but with this patch, those tests would succeed
even if the user's password had become set to an unusable one. In other
words, those test will also need to be updated to use startswith.
--
Ticket URL: <https://code.djangoproject.com/ticket/20079#comment:5>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
