diff --git a/django/contrib/auth/forms.py b/django/contrib/auth/forms.py index 2d1c9bb761..f0ef124b20 100644 --- a/django/contrib/auth/forms.py +++ b/django/contrib/auth/forms.py @@ -8,10 +8,7 @@ from django.utils.translation import ugettext, ugettext_lazy as _ from django.contrib.auth import authenticate from django.contrib.auth.models import User -from django.contrib.auth.hashers import ( - MAXIMUM_PASSWORD_LENGTH, UNUSABLE_PASSWORD, - is_password_usable, get_hasher -) +from django.contrib.auth.hashers import UNUSABLE_PASSWORD, is_password_usable, get_hasher from django.contrib.auth.tokens import default_token_generator from django.contrib.sites.models import get_current_site @@ -73,11 +70,10 @@ class UserCreationForm(forms.ModelForm): 'invalid': _("This value may contain only letters, numbers and " "@/./+/-/_ characters.")}) password1 = forms.CharField(label=_("Password"), - widget=forms.PasswordInput, max_length=MAXIMUM_PASSWORD_LENGTH) + widget=forms.PasswordInput) password2 = forms.CharField(label=_("Password confirmation"), widget=forms.PasswordInput, - max_length=MAXIMUM_PASSWORD_LENGTH, - help_text=_("Enter the same password as above, for verification.")) + help_text = _("Enter the same password as above, for verification.")) class Meta: model = User @@ -141,11 +137,7 @@ class AuthenticationForm(forms.Form): username/password logins. """ username = forms.CharField(label=_("Username"), max_length=30) - password = forms.CharField( - label=_("Password"), - widget=forms.PasswordInput, - max_length=MAXIMUM_PASSWORD_LENGTH, - ) + password = forms.CharField(label=_("Password"), widget=forms.PasswordInput) error_messages = { 'invalid_login': _("Please enter a correct username and password. " @@ -258,16 +250,10 @@ class SetPasswordForm(forms.Form): error_messages = { 'password_mismatch': _("The two password fields didn't match."), } - new_password1 = forms.CharField( - label=_("New password"), - widget=forms.PasswordInput, - max_length=MAXIMUM_PASSWORD_LENGTH, - ) - new_password2 = forms.CharField( - label=_("New password confirmation"), - widget=forms.PasswordInput, - max_length=MAXIMUM_PASSWORD_LENGTH, - ) + new_password1 = forms.CharField(label=_("New password"), + widget=forms.PasswordInput) + new_password2 = forms.CharField(label=_("New password confirmation"), + widget=forms.PasswordInput) def __init__(self, user, *args, **kwargs): self.user = user @@ -298,11 +284,8 @@ class PasswordChangeForm(SetPasswordForm): 'password_incorrect': _("Your old password was entered incorrectly. " "Please enter it again."), }) - old_password = forms.CharField( - label=_("Old password"), - widget=forms.PasswordInput, - max_length=MAXIMUM_PASSWORD_LENGTH, - ) + old_password = forms.CharField(label=_("Old password"), + widget=forms.PasswordInput) def clean_old_password(self): """ @@ -324,16 +307,10 @@ class AdminPasswordChangeForm(forms.Form): error_messages = { 'password_mismatch': _("The two password fields didn't match."), } - password1 = forms.CharField( - label=_("Password"), - widget=forms.PasswordInput, - max_length=MAXIMUM_PASSWORD_LENGTH, - ) - password2 = forms.CharField( - label=_("Password (again)"), - widget=forms.PasswordInput, - max_length=MAXIMUM_PASSWORD_LENGTH, - ) + password1 = forms.CharField(label=_("Password"), + widget=forms.PasswordInput) + password2 = forms.CharField(label=_("Password (again)"), + widget=forms.PasswordInput) def __init__(self, user, *args, **kwargs): self.user = user diff --git a/django/contrib/auth/hashers.py b/django/contrib/auth/hashers.py index 2d7e7bd9c0..a9dbcc9568 100644 --- a/django/contrib/auth/hashers.py +++ b/django/contrib/auth/hashers.py @@ -1,4 +1,3 @@ -import functools import hashlib from django.conf import settings @@ -12,23 +11,10 @@ from django.utils.translation import ugettext_noop as _ UNUSABLE_PASSWORD = '!' # This will never be a valid encoded hash -MAXIMUM_PASSWORD_LENGTH = 4096 # The maximum length a password can be to prevent DoS HASHERS = None # lazily loaded from PASSWORD_HASHERS PREFERRED_HASHER = None # defaults to first item in PASSWORD_HASHERS -def password_max_length(max_length): - def inner(fn): - @functools.wraps(fn) - def wrapper(self, password, *args, **kwargs): - if len(password) > max_length: - raise ValueError("Invalid password; Must be less than or equal" - " to %d bytes" % max_length) - return fn(self, password, *args, **kwargs) - return wrapper - return inner - - def is_password_usable(encoded): return (encoded is not None and encoded != UNUSABLE_PASSWORD) @@ -216,7 +202,6 @@ class PBKDF2PasswordHasher(BasePasswordHasher): iterations = 10000 digest = hashlib.sha256 - @password_max_length(MAXIMUM_PASSWORD_LENGTH) def encode(self, password, salt, iterations=None): assert password assert salt and '$' not in salt @@ -226,7 +211,6 @@ class PBKDF2PasswordHasher(BasePasswordHasher): hash = hash.encode('base64').strip() return "%s$%d$%s$%s" % (self.algorithm, iterations, salt, hash) - @password_max_length(MAXIMUM_PASSWORD_LENGTH) def verify(self, password, encoded): algorithm, iterations, salt, hash = encoded.split('$', 3) assert algorithm == self.algorithm @@ -272,13 +256,11 @@ class BCryptPasswordHasher(BasePasswordHasher): bcrypt = self._load_library() return bcrypt.gensalt(self.rounds) - @password_max_length(MAXIMUM_PASSWORD_LENGTH) def encode(self, password, salt): bcrypt = self._load_library() data = bcrypt.hashpw(password, salt) return "%s$%s" % (self.algorithm, data) - @password_max_length(MAXIMUM_PASSWORD_LENGTH) def verify(self, password, encoded): algorithm, data = encoded.split('$', 1) assert algorithm == self.algorithm @@ -303,14 +285,12 @@ class SHA1PasswordHasher(BasePasswordHasher): """ algorithm = "sha1" - @password_max_length(MAXIMUM_PASSWORD_LENGTH) def encode(self, password, salt): assert password assert salt and '$' not in salt hash = hashlib.sha1(salt + password).hexdigest() return "%s$%s$%s" % (self.algorithm, salt, hash) - @password_max_length(MAXIMUM_PASSWORD_LENGTH) def verify(self, password, encoded): algorithm, salt, hash = encoded.split('$', 2) assert algorithm == self.algorithm @@ -333,14 +313,12 @@ class MD5PasswordHasher(BasePasswordHasher): """ algorithm = "md5" - @password_max_length(MAXIMUM_PASSWORD_LENGTH) def encode(self, password, salt): assert password assert salt and '$' not in salt hash = hashlib.md5(salt + password).hexdigest() return "%s$%s$%s" % (self.algorithm, salt, hash) - @password_max_length(MAXIMUM_PASSWORD_LENGTH) def verify(self, password, encoded): algorithm, salt, hash = encoded.split('$', 2) assert algorithm == self.algorithm @@ -371,13 +349,11 @@ class UnsaltedSHA1PasswordHasher(BasePasswordHasher): def salt(self): return '' - @password_max_length(MAXIMUM_PASSWORD_LENGTH) def encode(self, password, salt): assert salt == '' hash = hashlib.sha1(password).hexdigest() return 'sha1$$%s' % hash - @password_max_length(MAXIMUM_PASSWORD_LENGTH) def verify(self, password, encoded): encoded_2 = self.encode(password, '') return constant_time_compare(encoded, encoded_2) @@ -407,12 +383,10 @@ class UnsaltedMD5PasswordHasher(BasePasswordHasher): def salt(self): return '' - @password_max_length(MAXIMUM_PASSWORD_LENGTH) def encode(self, password, salt): assert salt == '' return hashlib.md5(password).hexdigest() - @password_max_length(MAXIMUM_PASSWORD_LENGTH) def verify(self, password, encoded): if len(encoded) == 37 and encoded.startswith('md5$$'): encoded = encoded[5:] @@ -438,7 +412,6 @@ class CryptPasswordHasher(BasePasswordHasher): def salt(self): return get_random_string(2) - @password_max_length(MAXIMUM_PASSWORD_LENGTH) def encode(self, password, salt): crypt = self._load_library() assert len(salt) == 2 @@ -446,7 +419,6 @@ class CryptPasswordHasher(BasePasswordHasher): # we don't need to store the salt, but Django used to do this return "%s$%s$%s" % (self.algorithm, '', data) - @password_max_length(MAXIMUM_PASSWORD_LENGTH) def verify(self, password, encoded): crypt = self._load_library() algorithm, salt, data = encoded.split('$', 2) @@ -461,3 +433,4 @@ class CryptPasswordHasher(BasePasswordHasher): (_('salt'), salt), (_('hash'), mask_hash(data, show=3)), ]) + diff --git a/django/contrib/auth/tests/hashers.py b/django/contrib/auth/tests/hashers.py index 93d4f4decb..bf68c45a1b 100644 --- a/django/contrib/auth/tests/hashers.py +++ b/django/contrib/auth/tests/hashers.py @@ -1,8 +1,7 @@ from django.conf.global_settings import PASSWORD_HASHERS as default_hashers from django.contrib.auth.hashers import (is_password_usable, check_password, make_password, PBKDF2PasswordHasher, load_hashers, - PBKDF2SHA1PasswordHasher, get_hasher, UNUSABLE_PASSWORD, - MAXIMUM_PASSWORD_LENGTH, password_max_length) + PBKDF2SHA1PasswordHasher, get_hasher, UNUSABLE_PASSWORD) from django.utils import unittest from django.utils.unittest import skipUnless from django.test.utils import override_settings @@ -29,12 +28,6 @@ class TestUtilsHashPass(unittest.TestCase): self.assertTrue(is_password_usable(encoded)) self.assertTrue(check_password(u'letmein', encoded)) self.assertFalse(check_password('letmeinz', encoded)) - # Long password - self.assertRaises( - ValueError, - make_password, - "1" * (MAXIMUM_PASSWORD_LENGTH + 1), - ) def test_pkbdf2(self): encoded = make_password('letmein', 'seasalt', 'pbkdf2_sha256') @@ -43,14 +36,6 @@ class TestUtilsHashPass(unittest.TestCase): self.assertTrue(is_password_usable(encoded)) self.assertTrue(check_password(u'letmein', encoded)) self.assertFalse(check_password('letmeinz', encoded)) - # Long password - self.assertRaises( - ValueError, - make_password, - "1" * (MAXIMUM_PASSWORD_LENGTH + 1), - "seasalt", - "pbkdf2_sha256", - ) def test_sha1(self): encoded = make_password('letmein', 'seasalt', 'sha1') @@ -59,14 +44,6 @@ class TestUtilsHashPass(unittest.TestCase): self.assertTrue(is_password_usable(encoded)) self.assertTrue(check_password(u'letmein', encoded)) self.assertFalse(check_password('letmeinz', encoded)) - # Long password - self.assertRaises( - ValueError, - make_password, - "1" * (MAXIMUM_PASSWORD_LENGTH + 1), - "seasalt", - "sha1", - ) def test_md5(self): encoded = make_password('letmein', 'seasalt', 'md5') @@ -75,14 +52,6 @@ class TestUtilsHashPass(unittest.TestCase): self.assertTrue(is_password_usable(encoded)) self.assertTrue(check_password(u'letmein', encoded)) self.assertFalse(check_password('letmeinz', encoded)) - # Long password - self.assertRaises( - ValueError, - make_password, - "1" * (MAXIMUM_PASSWORD_LENGTH + 1), - "seasalt", - "md5", - ) def test_unsalted_md5(self): encoded = make_password('letmein', '', 'unsalted_md5') @@ -95,14 +64,6 @@ class TestUtilsHashPass(unittest.TestCase): self.assertTrue(is_password_usable(alt_encoded)) self.assertTrue(check_password(u'letmein', alt_encoded)) self.assertFalse(check_password('letmeinz', alt_encoded)) - # Long password - self.assertRaises( - ValueError, - make_password, - "1" * (MAXIMUM_PASSWORD_LENGTH + 1), - "", - "unsalted_md5", - ) def test_unsalted_sha1(self): encoded = make_password('letmein', '', 'unsalted_sha1') @@ -113,14 +74,6 @@ class TestUtilsHashPass(unittest.TestCase): # Raw SHA1 isn't acceptable alt_encoded = encoded[6:] self.assertRaises(ValueError, check_password, 'letmein', alt_encoded) - # Long password - self.assertRaises( - ValueError, - make_password, - "1" * (MAXIMUM_PASSWORD_LENGTH + 1), - "", - "unslated_sha1", - ) @skipUnless(crypt, "no crypt module to generate password.") def test_crypt(self): @@ -129,14 +82,6 @@ class TestUtilsHashPass(unittest.TestCase): self.assertTrue(is_password_usable(encoded)) self.assertTrue(check_password(u'letmein', encoded)) self.assertFalse(check_password('letmeinz', encoded)) - # Long password - self.assertRaises( - ValueError, - make_password, - "1" * (MAXIMUM_PASSWORD_LENGTH + 1), - "seasalt", - "crypt", - ) @skipUnless(bcrypt, "py-bcrypt not installed") def test_bcrypt(self): @@ -145,13 +90,6 @@ class TestUtilsHashPass(unittest.TestCase): self.assertTrue(encoded.startswith('bcrypt$')) self.assertTrue(check_password(u'letmein', encoded)) self.assertFalse(check_password('letmeinz', encoded)) - # Long password - self.assertRaises( - ValueError, - make_password, - "1" * (MAXIMUM_PASSWORD_LENGTH + 1), - hasher="bcrypt", - ) def test_unusable(self): encoded = make_password(None) @@ -167,14 +105,6 @@ class TestUtilsHashPass(unittest.TestCase): make_password('letmein', hasher='lolcat') self.assertRaises(ValueError, doit) - def test_max_password_length_decorator(self): - @password_max_length(10) - def encode(s, password, salt): - return True - - self.assertTrue(encode(None, "1234", "1234")) - self.assertRaises(ValueError, encode, None, "1234567890A", "1234") - def test_low_level_pkbdf2(self): hasher = PBKDF2PasswordHasher() encoded = hasher.encode('letmein', 'seasalt')