File: password-dos.diff

package info (click to toggle)
python-django 1.4.5-1%2Bdeb7u16
links: PTS, VCS
area: main
in suites: wheezy
size: 44,168 kB
sloc: python: 140,205; xml: 659; makefile: 160; sh: 145; sql: 7
file content (371 lines) | stat: -rw-r--r-- 13,504 bytes
Origin: https://github.com/django/django/commit/3f3d887a6844ec2db743fee64c9e53e04d39a368#L1L349
Date: 2013-09-15
Description: Ensure that passwords are never long enough for a DoS.
 * Limit the password length to 4096 bytes
 * Password hashers will raise a ValueError
 * django.contrib.auth forms will fail validation
 * Document in release notes that this is a backwards incompatible change

Thanks to Josh Wright for the report, and Donald Stufft for the patch.

Some changes were stripped from this patch since they also apply fixes to
UnsaltedSHA1PasswordHasher which is not shipped in the version of Django
in Debian.

--- a/django/contrib/auth/forms.py
+++ b/django/contrib/auth/forms.py
@@ -8,7 +8,10 @@
 
 from django.contrib.auth import authenticate
 from django.contrib.auth.models import User
-from django.contrib.auth.hashers import UNUSABLE_PASSWORD, is_password_usable, get_hasher
+from django.contrib.auth.hashers import (
+    MAXIMUM_PASSWORD_LENGTH, UNUSABLE_PASSWORD,
+    is_password_usable, get_hasher
+)
 from django.contrib.auth.tokens import default_token_generator
 from django.contrib.sites.models import get_current_site
 
@@ -70,10 +73,11 @@
             'invalid': _("This value may contain only letters, numbers and "
                          "@/./+/-/_ characters.")})
     password1 = forms.CharField(label=_("Password"),
-        widget=forms.PasswordInput)
+        widget=forms.PasswordInput, max_length=MAXIMUM_PASSWORD_LENGTH)
     password2 = forms.CharField(label=_("Password confirmation"),
         widget=forms.PasswordInput,
-        help_text = _("Enter the same password as above, for verification."))
+        max_length=MAXIMUM_PASSWORD_LENGTH,
+        help_text=_("Enter the same password as above, for verification."))
 
     class Meta:
         model = User
@@ -137,7 +141,11 @@
     username/password logins.
     """
     username = forms.CharField(label=_("Username"), max_length=30)
-    password = forms.CharField(label=_("Password"), widget=forms.PasswordInput)
+    password = forms.CharField(
+        label=_("Password"),
+        widget=forms.PasswordInput,
+        max_length=MAXIMUM_PASSWORD_LENGTH,
+    )
 
     error_messages = {
         'invalid_login': _("Please enter a correct username and password. "
@@ -250,10 +258,16 @@
     error_messages = {
         'password_mismatch': _("The two password fields didn't match."),
     }
-    new_password1 = forms.CharField(label=_("New password"),
-                                    widget=forms.PasswordInput)
-    new_password2 = forms.CharField(label=_("New password confirmation"),
-                                    widget=forms.PasswordInput)
+    new_password1 = forms.CharField(
+        label=_("New password"),
+        widget=forms.PasswordInput,
+        max_length=MAXIMUM_PASSWORD_LENGTH,
+    )
+    new_password2 = forms.CharField(
+        label=_("New password confirmation"),
+        widget=forms.PasswordInput,
+        max_length=MAXIMUM_PASSWORD_LENGTH,
+    )
 
     def __init__(self, user, *args, **kwargs):
         self.user = user
@@ -284,8 +298,11 @@
         'password_incorrect': _("Your old password was entered incorrectly. "
                                 "Please enter it again."),
     })
-    old_password = forms.CharField(label=_("Old password"),
-                                   widget=forms.PasswordInput)
+    old_password = forms.CharField(
+        label=_("Old password"),
+        widget=forms.PasswordInput,
+        max_length=MAXIMUM_PASSWORD_LENGTH,
+    )
 
     def clean_old_password(self):
         """
@@ -307,10 +324,16 @@
     error_messages = {
         'password_mismatch': _("The two password fields didn't match."),
     }
-    password1 = forms.CharField(label=_("Password"),
-                                widget=forms.PasswordInput)
-    password2 = forms.CharField(label=_("Password (again)"),
-                                widget=forms.PasswordInput)
+    password1 = forms.CharField(
+        label=_("Password"),
+        widget=forms.PasswordInput,
+        max_length=MAXIMUM_PASSWORD_LENGTH,
+    )
+    password2 = forms.CharField(
+        label=_("Password (again)"),
+        widget=forms.PasswordInput,
+        max_length=MAXIMUM_PASSWORD_LENGTH,
+    )
 
     def __init__(self, user, *args, **kwargs):
         self.user = user
--- a/django/contrib/auth/hashers.py
+++ b/django/contrib/auth/hashers.py
@@ -1,3 +1,4 @@
+import functools
 import hashlib
 
 from django.conf import settings
@@ -11,10 +12,23 @@
 
 
 UNUSABLE_PASSWORD = '!'  # This will never be a valid encoded hash
+MAXIMUM_PASSWORD_LENGTH = 4096  # The maximum length a password can be to prevent DoS
 HASHERS = None  # lazily loaded from PASSWORD_HASHERS
 PREFERRED_HASHER = None  # defaults to first item in PASSWORD_HASHERS
 
 
+def password_max_length(max_length):
+    def inner(fn):
+        @functools.wraps(fn)
+        def wrapper(self, password, *args, **kwargs):
+            if len(password) > max_length:
+                raise ValueError("Invalid password; Must be less than or equal"
+                                 " to %d bytes" % max_length)
+            return fn(self, password, *args, **kwargs)
+        return wrapper
+    return inner
+
+
 def is_password_usable(encoded):
     return (encoded is not None and encoded != UNUSABLE_PASSWORD)
 
@@ -197,6 +211,7 @@
     iterations = 10000
     digest = hashlib.sha256
 
+    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
     def encode(self, password, salt, iterations=None):
         assert password
         assert salt and '$' not in salt
@@ -206,6 +221,7 @@
         hash = hash.encode('base64').strip()
         return "%s$%d$%s$%s" % (self.algorithm, iterations, salt, hash)
 
+    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
     def verify(self, password, encoded):
         algorithm, iterations, salt, hash = encoded.split('$', 3)
         assert algorithm == self.algorithm
@@ -251,11 +267,13 @@
         bcrypt = self._load_library()
         return bcrypt.gensalt(self.rounds)
 
+    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
     def encode(self, password, salt):
         bcrypt = self._load_library()
         data = bcrypt.hashpw(password, salt)
         return "%s$%s" % (self.algorithm, data)
 
+    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
     def verify(self, password, encoded):
         algorithm, data = encoded.split('$', 1)
         assert algorithm == self.algorithm
@@ -280,12 +298,14 @@
     """
     algorithm = "sha1"
 
+    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
     def encode(self, password, salt):
         assert password
         assert salt and '$' not in salt
         hash = hashlib.sha1(salt + password).hexdigest()
         return "%s$%s$%s" % (self.algorithm, salt, hash)
 
+    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
     def verify(self, password, encoded):
         algorithm, salt, hash = encoded.split('$', 2)
         assert algorithm == self.algorithm
@@ -308,12 +328,14 @@
     """
     algorithm = "md5"
 
+    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
     def encode(self, password, salt):
         assert password
         assert salt and '$' not in salt
         hash = hashlib.md5(salt + password).hexdigest()
         return "%s$%s$%s" % (self.algorithm, salt, hash)
 
+    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
     def verify(self, password, encoded):
         algorithm, salt, hash = encoded.split('$', 2)
         assert algorithm == self.algorithm
@@ -344,15 +366,18 @@
     def salt(self):
         return ''
 
+    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
     def encode(self, password, salt):
         return hashlib.md5(password).hexdigest()
 
+    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
     def verify(self, password, encoded):
         if len(encoded) == 37 and encoded.startswith('md5$$'):
             encoded = encoded[5:]
         encoded_2 = self.encode(password, '')
         return constant_time_compare(encoded, encoded_2)
 
+    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
     def safe_summary(self, encoded):
         return SortedDict([
             (_('algorithm'), self.algorithm),
@@ -372,6 +397,7 @@
     def salt(self):
         return get_random_string(2)
 
+    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
     def encode(self, password, salt):
         crypt = self._load_library()
         assert len(salt) == 2
@@ -379,6 +405,7 @@
         # we don't need to store the salt, but Django used to do this
         return "%s$%s$%s" % (self.algorithm, '', data)
 
+    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
     def verify(self, password, encoded):
         crypt = self._load_library()
         algorithm, salt, data = encoded.split('$', 2)
@@ -393,4 +420,3 @@
             (_('salt'), salt),
             (_('hash'), mask_hash(data, show=3)),
         ])
-
--- a/django/contrib/auth/tests/hashers.py
+++ b/django/contrib/auth/tests/hashers.py
@@ -1,7 +1,8 @@
 from django.conf.global_settings import PASSWORD_HASHERS as default_hashers
 from django.contrib.auth.hashers import (is_password_usable, 
     check_password, make_password, PBKDF2PasswordHasher, load_hashers,
-    PBKDF2SHA1PasswordHasher, get_hasher, UNUSABLE_PASSWORD)
+    PBKDF2SHA1PasswordHasher, get_hasher, UNUSABLE_PASSWORD,
+    MAXIMUM_PASSWORD_LENGTH, password_max_length)
 from django.utils import unittest
 from django.utils.unittest import skipUnless
 from django.test.utils import override_settings
@@ -28,6 +29,12 @@
         self.assertTrue(is_password_usable(encoded))
         self.assertTrue(check_password(u'letmein', encoded))
         self.assertFalse(check_password('letmeinz', encoded))
+        # Long password
+        self.assertRaises(
+            ValueError,
+            make_password,
+            b"1" * (MAXIMUM_PASSWORD_LENGTH + 1),
+        )
 
     def test_pkbdf2(self):
         encoded = make_password('letmein', 'seasalt', 'pbkdf2_sha256')
@@ -36,6 +43,14 @@
         self.assertTrue(is_password_usable(encoded))
         self.assertTrue(check_password(u'letmein', encoded))
         self.assertFalse(check_password('letmeinz', encoded))
+        # Long password
+        self.assertRaises(
+            ValueError,
+            make_password,
+            b"1" * (MAXIMUM_PASSWORD_LENGTH + 1),
+            "seasalt",
+            "pbkdf2_sha256",
+        )
 
     def test_sha1(self):
         encoded = make_password('letmein', 'seasalt', 'sha1')
@@ -44,6 +59,14 @@
         self.assertTrue(is_password_usable(encoded))
         self.assertTrue(check_password(u'letmein', encoded))
         self.assertFalse(check_password('letmeinz', encoded))
+        # Long password
+        self.assertRaises(
+            ValueError,
+            make_password,
+            b"1" * (MAXIMUM_PASSWORD_LENGTH + 1),
+            "seasalt",
+            "sha1",
+        )
 
     def test_md5(self):
         encoded = make_password('letmein', 'seasalt', 'md5')
@@ -52,6 +75,14 @@
         self.assertTrue(is_password_usable(encoded))
         self.assertTrue(check_password(u'letmein', encoded))
         self.assertFalse(check_password('letmeinz', encoded))
+        # Long password
+        self.assertRaises(
+            ValueError,
+            make_password,
+            b"1" * (MAXIMUM_PASSWORD_LENGTH + 1),
+            "seasalt",
+            "md5",
+        )
 
     def test_unsalted_md5(self):
         encoded = make_password('letmein', 'seasalt', 'unsalted_md5')
@@ -64,6 +95,14 @@
         self.assertTrue(is_password_usable(alt_encoded))
         self.assertTrue(check_password(u'letmein', alt_encoded))
         self.assertFalse(check_password('letmeinz', alt_encoded))
+        # Long password
+        self.assertRaises(
+            ValueError,
+            make_password,
+            b"1" * (MAXIMUM_PASSWORD_LENGTH + 1),
+            "",
+            "unsalted_md5",
+        )
 
     @skipUnless(crypt, "no crypt module to generate password.")
     def test_crypt(self):
@@ -72,6 +111,14 @@
         self.assertTrue(is_password_usable(encoded))
         self.assertTrue(check_password(u'letmein', encoded))
         self.assertFalse(check_password('letmeinz', encoded))
+        # Long password
+        self.assertRaises(
+            ValueError,
+            make_password,
+            b"1" * (MAXIMUM_PASSWORD_LENGTH + 1),
+            "seasalt",
+            "crypt",
+        )
 
     @skipUnless(bcrypt, "py-bcrypt not installed")
     def test_bcrypt(self):
@@ -80,6 +127,13 @@
         self.assertTrue(encoded.startswith('bcrypt$'))
         self.assertTrue(check_password(u'letmein', encoded))
         self.assertFalse(check_password('letmeinz', encoded))
+        # Long password
+        self.assertRaises(
+            ValueError,
+            make_password,
+            b"1" * (MAXIMUM_PASSWORD_LENGTH + 1),
+            hasher="bcrypt",
+        )
 
     def test_unusable(self):
         encoded = make_password(None)
@@ -95,6 +149,14 @@
             make_password('letmein', hasher='lolcat')
         self.assertRaises(ValueError, doit)
 
+    def test_max_password_length_decorator(self):
+        @password_max_length(10)
+        def encode(s, password, salt):
+            return True
+
+        self.assertTrue(encode(None, b"1234", b"1234"))
+        self.assertRaises(ValueError, encode, None, b"1234567890A", b"1234")
+
     def test_low_level_pkbdf2(self):
         hasher = PBKDF2PasswordHasher()
         encoded = hasher.encode('letmein', 'seasalt')