Author: lukeplant
Date: 2011-03-30 10:34:38 -0700 (Wed, 30 Mar 2011)
New Revision: 15950
Modified:
django/trunk/django/contrib/auth/tests/tokens.py
django/trunk/django/contrib/auth/tokens.py
Log:
Removed Django 1.2 compatibility fallback for password reset hash
Modified: django/trunk/django/contrib/auth/tests/tokens.py
===================================================================
--- django/trunk/django/contrib/auth/tests/tokens.py 2011-03-30 17:34:26 UTC
(rev 15949)
+++ django/trunk/django/contrib/auth/tests/tokens.py 2011-03-30 17:34:38 UTC
(rev 15950)
@@ -51,28 +51,6 @@
p2 = Mocked(date.today() +
timedelta(settings.PASSWORD_RESET_TIMEOUT_DAYS + 1))
self.assertFalse(p2.check_token(user, tk1))
- def test_django12_hash(self):
- """
- Ensure we can use the hashes generated by Django 1.2
- """
- # Hard code in the Django 1.2 algorithm (not the result, as it is time
- # dependent)
- def _make_token(user):
- import hashlib
- from django.utils.http import int_to_base36
-
- timestamp = (date.today() - date(2001,1,1)).days
- ts_b36 = int_to_base36(timestamp)
- hash = hashlib.sha1(settings.SECRET_KEY + unicode(user.id) +
- user.password +
user.last_login.strftime('%Y-%m-%d %H:%M:%S') +
- unicode(timestamp)).hexdigest()[::2]
- return "%s-%s" % (ts_b36, hash)
-
- user = User.objects.create_user('tokentestuser', '[email protected]',
'testpw')
- p0 = PasswordResetTokenGenerator()
- tk1 = _make_token(user)
- self.assertTrue(p0.check_token(user, tk1))
-
def test_date_length(self):
"""
Make sure we don't allow overly long dates, causing a potential DoS.
Modified: django/trunk/django/contrib/auth/tokens.py
===================================================================
--- django/trunk/django/contrib/auth/tokens.py 2011-03-30 17:34:26 UTC (rev
15949)
+++ django/trunk/django/contrib/auth/tokens.py 2011-03-30 17:34:38 UTC (rev
15950)
@@ -1,5 +1,4 @@
from datetime import date
-import hashlib
from django.conf import settings
from django.utils.http import int_to_base36, base36_to_int
from django.utils.crypto import constant_time_compare, salted_hmac
@@ -33,11 +32,7 @@
# Check that the timestamp/uid has not been tampered with
if not constant_time_compare(self._make_token_with_timestamp(user,
ts), token):
- # Fallback to Django 1.2 method for compatibility.
- # PendingDeprecationWarning <- here to remind us to remove this in
- # Django 1.5
- if not
constant_time_compare(self._make_token_with_timestamp_old(user, ts), token):
- return False
+ return False
# Check the timestamp is within limit
if (self._num_days(self._today()) - ts) >
settings.PASSWORD_RESET_TIMEOUT_DAYS:
@@ -63,14 +58,6 @@
hash = salted_hmac(key_salt, value).hexdigest()[::2]
return "%s-%s" % (ts_b36, hash)
- def _make_token_with_timestamp_old(self, user, timestamp):
- # The Django 1.2 method
- ts_b36 = int_to_base36(timestamp)
- hash = hashlib.sha1(settings.SECRET_KEY + unicode(user.id) +
- user.password + user.last_login.strftime('%Y-%m-%d
%H:%M:%S') +
- unicode(timestamp)).hexdigest()[::2]
- return "%s-%s" % (ts_b36, hash)
-
def _num_days(self, dt):
return (dt - date(2001,1,1)).days
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
