Re: [Django] #20079: Improve security of password reset tokens

Tue, 21 May 2013 16:26:45 -0700 

#20079: Improve security of password reset tokens
------------------------------+------------------------------------
     Reporter:  jacob         |                    Owner:  viciu
         Type:  Bug           |                   Status:  assigned
    Component:  contrib.auth  |                  Version:  master
     Severity:  Normal        |               Resolution:
     Keywords:  dceu13        |             Triage Stage:  Accepted
    Has patch:  1             |      Needs documentation:  0
  Needs tests:  0             |  Patch needs improvement:  1
Easy pickings:  0             |                    UI/UX:  0
------------------------------+------------------------------------
Changes (by lukeplant):

 * needs_better_patch:  0 => 1
 * stage:  Ready for checkin => Accepted


Comment:

 It's important to change the name of the constant UNUSABLE_PASSWORD to
 something else (UNUSABLE_PASSWORD_PREFIX, perhaps), because:

 1. UNUSABLE_PASSWORD is now a misleading name
 2. As far as possible, code should be left as if it had been written that
 way from the beginning.
 3. If any code is depending on the original meaning of UNUSABLE_PASSWORD,
 it will be broken. This could include 3rd party code. It is relying on an
 undocumented internal, so it is OK to break their code, but by changing
 the name of the constant, their code will break loudly and obviously,
 rather than in difficult to spot ways. The same thing applies to other
 instances of UNUSABLE_PASSWORD in Django's own code base - if the patch
 had been written this way from the start, it would have been impossible to
 miss those other instances that erikr pointed out.

 In fact, in most cases that UNUSABLE_PASSWORD is used in the tests, it
 should actually be removed and replaced with `user.has_usable_password()`
 (except if `has_usable_password` is itself being tested), because that is
 the whole point of `User.has_usable_password()` - to hide the
 implementation detail of UNUSABLE_PASSWORD. That isn't the fault of the
 current patch, but it is a good opportunity to clean it up.

-- 
Ticket URL: <https://code.djangoproject.com/ticket/20079#comment:8>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/063.866391508f08f20205c01579cbbe4bb5%40djangoproject.com?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to