Fixed CVE-2018-16984 -- Fixed password hash disclosure to admin "view only" users.

Thanks Claude Paroz & Tim Graham for collaborating on the patch.
2025-08-04 19:08:28 +00:00 · 2018-09-13 15:08:41 +02:00 · 2018-09-13 15:08:41 +02:00 · bf39978a53
commit bf39978a53
parent a4932be483
4 changed files with 44 additions and 3 deletions
--- a/tests/auth_tests/test_views.py
+++ b/tests/auth_tests/test_views.py
@ -15,11 +15,12 @@ from django.contrib.auth import (
 from django.contrib.auth.forms import (
    AuthenticationForm, PasswordChangeForm, SetPasswordForm,
 )
-from django.contrib.auth.models import User
+from django.contrib.auth.models import Permission, User
 from django.contrib.auth.views import (
    INTERNAL_RESET_SESSION_TOKEN, LoginView, logout_then_login,
    redirect_to_login,
 )
+from django.contrib.contenttypes.models import ContentType
 from django.contrib.sessions.middleware import SessionMiddleware
 from django.contrib.sites.requests import RequestSite
 from django.core import mail
@ -1098,6 +1099,11 @@ class LogoutTest(AuthViewsTestCase):
        self.assertRedirects(response, '/logout/', fetch_redirect_response=False)


+def get_perm(Model, perm):
+    ct = ContentType.objects.get_for_model(Model)
+    return Permission.objects.get(content_type=ct, codename=perm)
+
+
 # Redirect in test_user_change_password will fail if session auth hash
 # isn't updated after password change (#21649)
@override_settings(ROOT_URLCONF='auth_tests.urls_admin')
@ -1211,6 +1217,25 @@ class ChangelistTests(AuthViewsTestCase):
        (_request, user), _kwargs = has_change_permission.call_args
        self.assertEqual(user.pk, self.admin.pk)

+    def test_view_user_password_is_readonly(self):
+        u = User.objects.get(username='testclient')
+        u.is_superuser = False
+        u.save()
+        u.user_permissions.add(get_perm(User, 'view_user'))
+        response = self.client.get(reverse('auth_test_admin:auth_user_change', args=(u.pk,)),)
+        algo, salt, hash_string = (u.password.split('$'))
+        self.assertContains(response, '<div class="readonly">testclient</div>')
+        # ReadOnlyPasswordHashWidget is used to render the field.
+        self.assertContains(
+            response,
+            '<strong>algorithm</strong>: %s\n\n'
+            '<strong>salt</strong>: %s**********\n\n'
+            '<strong>hash</strong>: %s**************************\n\n' % (
+                algo, salt[:2], hash_string[:6],
+            ),
+            html=True,
+        )
+

@override_settings(
    AUTH_USER_MODEL='auth_tests.UUIDUser',