Commit 25aaa359 authored by Luke Plant's avatar Luke Plant
Browse files

Removed Django 1.2 compatibility fallback for password reset hash 

git-svn-id: http://code.djangoproject.com/svn/django/trunk@15950 bcc190cf-cafb-0310-a4f2-bffc1f526a37
parent 88230216

django/contrib/auth/tests/tokens.py

+0 −22
Original line number Diff line number Diff line
@@ -51,28 +51,6 @@ class TokenGeneratorTest(TestCase): 
        p2 = Mocked(date.today() + timedelta(settings.PASSWORD_RESET_TIMEOUT_DAYS + 1))

        self.assertFalse(p2.check_token(user, tk1))



    def test_django12_hash(self):

        """

        Ensure we can use the hashes generated by Django 1.2

        """

        # Hard code in the Django 1.2 algorithm (not the result, as it is time

        # dependent)

        def _make_token(user):

            import hashlib

            from django.utils.http import int_to_base36



            timestamp = (date.today() - date(2001,1,1)).days

            ts_b36 = int_to_base36(timestamp)

            hash = hashlib.sha1(settings.SECRET_KEY + unicode(user.id) +

                               user.password + user.last_login.strftime('%Y-%m-%d %H:%M:%S') +

                               unicode(timestamp)).hexdigest()[::2]

            return "%s-%s" % (ts_b36, hash)



        user = User.objects.create_user('tokentestuser', 'test2@example.com', 'testpw')

        p0 = PasswordResetTokenGenerator()

        tk1 = _make_token(user)

        self.assertTrue(p0.check_token(user, tk1))



    def test_date_length(self):

        """

        Make sure we don't allow overly long dates, causing a potential DoS.

django/contrib/auth/tokens.py

+1 −14
Original line number Diff line number Diff line 
from datetime import date

import hashlib

from django.conf import settings

from django.utils.http import int_to_base36, base36_to_int

from django.utils.crypto import constant_time_compare, salted_hmac
@@ -33,10 +32,6 @@ class PasswordResetTokenGenerator(object): 


        # Check that the timestamp/uid has not been tampered with

        if not constant_time_compare(self._make_token_with_timestamp(user, ts), token):

            # Fallback to Django 1.2 method for compatibility.

            # PendingDeprecationWarning <- here to remind us to remove this in

            # Django 1.5

            if not constant_time_compare(self._make_token_with_timestamp_old(user, ts), token):

            return False



        # Check the timestamp is within limit
@@ -63,14 +58,6 @@ class PasswordResetTokenGenerator(object): 
        hash = salted_hmac(key_salt, value).hexdigest()[::2]

        return "%s-%s" % (ts_b36, hash)



    def _make_token_with_timestamp_old(self, user, timestamp):

        # The Django 1.2 method

        ts_b36 = int_to_base36(timestamp)

        hash = hashlib.sha1(settings.SECRET_KEY + unicode(user.id) +

                           user.password + user.last_login.strftime('%Y-%m-%d %H:%M:%S') +

                           unicode(timestamp)).hexdigest()[::2]

        return "%s-%s" % (ts_b36, hash)



    def _num_days(self, dt):

        return (dt - date(2001,1,1)).days