mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-11-18 02:56:45 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

Merge c8a756ca3e into 1ce6e78dd4

Browse source
This commit is contained in:
David Cain 2025-11-17 16:30:22 +02:00 committed by GitHub
commit efac773d78
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 19 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

7
django/contrib/auth/hashers.py
View file

@ -569,8 +569,11 @@ class BCryptPasswordHasher(BCryptSHA256PasswordHasher):
issues.
This hasher does not first hash the password which means it is subject to
bcrypt's 72 bytes password truncation. Most use cases should prefer the
BCryptSHA256PasswordHasher.
bcrypt's 72 byte limit. With bcrypt version 5 or newer, a `ValueError`
will be raised if the password exceeds 72 bytes. On older versions, the
password is silently truncated to 72 characters.
The BCryptSHA256PasswordHasher won't raise exceptions on longer passwords.
"""
algorithm = "bcrypt"

14
tests/auth_tests/test_hashers.py
View file

@ -152,6 +152,20 @@ class TestUtilsHashPass(SimpleTestCase):
self.assertTrue(check_password("", blank_encoded))
self.assertFalse(check_password(" ", blank_encoded))
@skipUnless(bcrypt, "bcrypt not installed")
@override_settings(
PASSWORD_HASHERS=["django.contrib.auth.hashers.BCryptPasswordHasher"]
)
def test_bcrypt_truncation(self):
if bcrypt.__version__ >= "5.0.0":
with self.assertRaises(ValueError) as cm:
encoded = make_password(73 * "x", hasher="bcrypt")
self.assertIn("72 bytes", str(cm.exception))
else:
# Older versions silently truncated to 72 bytes
encoded = make_password(73 * "x", hasher="bcrypt")
self.assertTrue(check_password(72 * "x", encoded))
@skipUnless(bcrypt, "bcrypt not installed")
@override_settings(
PASSWORD_HASHERS=["django.contrib.auth.hashers.BCryptPasswordHasher"]