search

straight55b / app-engine-patch

Automatically exported from code.google.com/p/app-engine-patch
0 stars 0 forks source link

Generated user passwords are not compatible with the get_hexdigest function #121

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Create a user, set a password
2. Try to run check_password('mypass', 'sha1$foo$encryptedigest')

What is the expected output? What do you see instead?

The function gen_hash() in django.contrib.auth, first of all uses sha512 as the 
default.. the 
get_hexdigest function does not support this encryption.

Also, the way the gen_hash() function inserts the salt is different from 
get_hexdigest(), creating a 
different password then what get_hexdigest() would, making functions like 
check_password() not 
work.

What version of the product are you using? On what operating system?
1.0, OS X.

Please provide any additional information below.

So rather than creating your own gen_hash() function which uses incompatible 
encryptions, just 
replace it with the following to make functions such as check_password() work.

def gen_hash(password, salt=None, algorithm='sha1'):
    if salt is None:
        salt = ''.join([random.choice(ascii_letters + digits) for _ in range(8)])
    return (algorithm, salt, get_hexdigest(algorithm, salt, password))

Original issue reported on code.google.com by lud...@gmail.com on 2 Apr 2009 at 8:42

GoogleCodeExporter commented 9 years ago 
It's too late for this change. I'd break all existing websites and it doesn't 
really
provide a convincing benefit.

Original comment by wkornew...@gmail.com on 2 Apr 2009 at 9:02

GoogleCodeExporter commented 9 years ago 
Then, at least patch check_password() to generate hexdigests the same way? It's 
a pretty useful function.

Original comment by lud...@gmail.com on 2 Apr 2009 at 9:05

GoogleCodeExporter commented 9 years ago 
If I do that check_password() won't work with existing passwords, anymore. Same
problem. Of course, I'd love to make it compatible, but it's too late.

Original comment by wkornew...@gmail.com on 2 Apr 2009 at 9:11