mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-07-04 17:59:13 +00:00
Code Issues 32 Releases Wiki Activity

Fix a security issue in the auth system. Disclosure and new release forthcoming.

Browse Source 
git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.2.X@15034 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Alex Gaynor 2010-12-23 03:46:37 +00:00
parent 85207a245b
commit d5d8942a16
3 changed files with 19 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
django/contrib/auth/tests/tokens.py
View File

@ -50,3 +50,14 @@ class TokenGeneratorTest(TestCase):
p2 = Mocked(date.today() + timedelta(settings.PASSWORD_RESET_TIMEOUT_DAYS + 1)) p2 = Mocked(date.today() + timedelta(settings.PASSWORD_RESET_TIMEOUT_DAYS + 1))
self.assertFalse(p2.check_token(user, tk1)) self.assertFalse(p2.check_token(user, tk1))
def test_date_length(self):
"""
Make sure we don't allow overly long dates, causing a potential DoS.
"""
user = User.objects.create_user('ima1337h4x0r', 'test4@example.com', 'p4ssw0rd')
p0 = PasswordResetTokenGenerator()
# This will put a 14-digit base36 timestamp into the token, which is too large.
tk1 = p0._make_token_with_timestamp(user, 175455491841851871349)
self.assertFalse(p0.check_token(user, tk1))

2
django/contrib/auth/urls.py
View File

@ -11,7 +11,7 @@ urlpatterns = patterns('',
(r'^password_change/done/$', 'django.contrib.auth.views.password_change_done'), (r'^password_change/done/$', 'django.contrib.auth.views.password_change_done'),
(r'^password_reset/$', 'django.contrib.auth.views.password_reset'), (r'^password_reset/$', 'django.contrib.auth.views.password_reset'),
(r'^password_reset/done/$', 'django.contrib.auth.views.password_reset_done'), (r'^password_reset/done/$', 'django.contrib.auth.views.password_reset_done'),
(r'^reset/(?P<uidb36>[0-9A-Za-z]+)-(?P<token>.+)/$', 'django.contrib.auth.views.password_reset_confirm'), (r'^reset/(?P<uidb36>[0-9A-Za-z]{1,13})-(?P<token>[0-9A-Za-z]{1,13}-[0-9A-Za-z]{1,20})/$', 'django.contrib.auth.views.password_reset_confirm'),
(r'^reset/done/$', 'django.contrib.auth.views.password_reset_complete'), (r'^reset/done/$', 'django.contrib.auth.views.password_reset_complete'),
) )

7
django/utils/http.py
View File

@ -73,8 +73,13 @@ def http_date(epoch_seconds=None):
def base36_to_int(s): def base36_to_int(s):
""" """
Convertd a base 36 string to an integer Converts a base 36 string to an ``int``. To prevent
overconsumption of server resources, raises ``ValueError` if the
input is longer than 13 base36 digits (13 digits is sufficient to
base36-encode any 64-bit integer).
""" """
if len(s) > 13:
raise ValueError("Base36 input too large")
return int(s, 36) return int(s, 36)
def int_to_base36(i): def int_to_base36(i):