Commit 6bd3896f authored by Claude Paroz's avatar Claude Paroz
Browse files

[1.4.x] Fixed #18144 -- Added backwards compatibility with old unsalted MD5 passwords 

Thanks apreobrazhensky at gmail.com for the report.
Backport of 63d6a50d from master.
parent 89ba1b27

django/contrib/auth/hashers.py

+4 −1
Original line number Diff line number Diff line
@@ -35,7 +35,8 @@ def check_password(password, encoded, setter=None, preferred='default'): 
    password = smart_str(password)

    encoded = smart_str(encoded)



    if len(encoded) == 32 and '$' not in encoded:

    if ((len(encoded) == 32 and '$' not in encoded) or

            (len(encoded) == 37 and encoded.startswith('md5$$'))):

        hasher = get_hasher('unsalted_md5')

    else:

        algorithm = encoded.split('$', 1)[0]
@@ -347,6 +348,8 @@ class UnsaltedMD5PasswordHasher(BasePasswordHasher): 
        return hashlib.md5(password).hexdigest()



    def verify(self, password, encoded):

        if len(encoded) == 37 and encoded.startswith('md5$$'):

            encoded = encoded[5:]

        encoded_2 = self.encode(password, '')

        return constant_time_compare(encoded, encoded_2)

django/contrib/auth/tests/hashers.py

+5 −0
Original line number Diff line number Diff line
@@ -59,6 +59,11 @@ class TestUtilsHashPass(unittest.TestCase): 
        self.assertTrue(is_password_usable(encoded))

        self.assertTrue(check_password(u'letmein', encoded))

        self.assertFalse(check_password('letmeinz', encoded))

        # Alternate unsalted syntax

        alt_encoded = "md5$$%s" % encoded

        self.assertTrue(is_password_usable(alt_encoded))

        self.assertTrue(check_password(u'letmein', alt_encoded))

        self.assertFalse(check_password('letmeinz', alt_encoded))



    @skipUnless(crypt, "no crypt module to generate password.")

    def test_crypt(self):