Fixed #32130 -- Fixed pre-Django 3.1 password reset tokens validation.

Thanks Gordon Wrigley for the report and implementation idea. Regression in 226ebb1729.
2025-10-27 07:36:08 +00:00 · 2020-10-22 13:21:14 +02:00
parent 284bde3fbe
commit 3418092238
3 changed files with 35 additions and 3 deletions
--- a/django/contrib/auth/tokens.py
+++ b/django/contrib/auth/tokens.py
@@ -1,4 +1,4 @@
-from datetime import datetime
+from datetime import datetime, time

 from django.conf import settings
 from django.utils.crypto import constant_time_compare, salted_hmac
@@ -36,6 +36,8 @@ class PasswordResetTokenGenerator:
        # Parse the token
        try:
            ts_b36, _ = token.split("-")
+            # RemovedInDjango40Warning.
+            legacy_token = len(ts_b36) < 4
        except ValueError:
            return False

@@ -55,8 +57,14 @@ class PasswordResetTokenGenerator:
            ):
                return False

+        # RemovedInDjango40Warning: convert days to seconds and round to
+        # midnight (server time) for pre-Django 3.1 tokens.
+        now = self._now()
+        if legacy_token:
+            ts *= 24 * 60 * 60
+            ts += int((now - datetime.combine(now.date(), time.min)).total_seconds())
        # Check the timestamp is within limit.
-        if (self._num_seconds(self._now()) - ts) > settings.PASSWORD_RESET_TIMEOUT:
+        if (self._num_seconds(now) - ts) > settings.PASSWORD_RESET_TIMEOUT:
            return False

        return True