Ensure that passwords are never long enough for a DoS.

* Limit the password length to 4096 bytes * Password hashers will raise a ValueError * django.contrib.auth forms will fail validation * Document in release notes that this is a backwards incompatible change Thanks to Josh Wright for the report, and Donald Stufft for the patch. This is a security fix; disclosure to follow shortly.

Ensure that passwords are never long enough for a DoS.
* Limit the password length to 4096 bytes * Password hashers will raise a ValueError * django.contrib.auth forms will fail validation * Document in release notes that this is a backwards incompatible change Thanks to Josh Wright for the report, and Donald Stufft for the patch. This is a security fix; disclosure to follow shortly.
aae5a96d · Russell Keith-Magee · 351a0614 · aae5a96d · aae5a96d · aae5a96d
Kaydet (Commit) aae5a96d authored Eyl 15, 2013 tarafından Russell Keith-Magee
Showing with 153 additions and 17 deletions

forms.py django/contrib/auth/forms.py +35 -13

hashers.py django/contrib/auth/hashers.py +28 -1

test_hashers.py django/contrib/auth/tests/test_hashers.py +82 -3

1.7.txt docs/releases/1.7.txt +8 -0

No files found.
--- a/django/contrib/auth/forms.py
+++ b/django/contrib/auth/forms.py
@@ -14,7 +14,9 @@ from django.utils.translation import ugettext, ugettext_lazy as _

 from django.contrib.auth import authenticate, get_user_model
 from django.contrib.auth.models import User
-from django.contrib.auth.hashers import UNUSABLE_PASSWORD_PREFIX, identify_hasher
+from django.contrib.auth.hashers import (
+    MAXIMUM_PASSWORD_LENGTH, UNUSABLE_PASSWORD_PREFIX, identify_hasher,
+)
 from django.contrib.auth.tokens import default_token_generator
 from django.contrib.sites.models import get_current_site

@@ -80,9 +82,10 @@ class UserCreationForm(forms.ModelForm):
            'invalid': _("This value may contain only letters, numbers and "
                         "@/./+/-/_ characters.")})
    password1 = forms.CharField(label=_("Password"),
-        widget=forms.PasswordInput)
+        widget=forms.PasswordInput, max_length=MAXIMUM_PASSWORD_LENGTH)
    password2 = forms.CharField(label=_("Password confirmation"),
        widget=forms.PasswordInput,
+        max_length=MAXIMUM_PASSWORD_LENGTH,
        help_text=_("Enter the same password as above, for verification."))

    class Meta:
@@ -156,7 +159,11 @@ class AuthenticationForm(forms.Form):
    username/password logins.
    """
    username = forms.CharField(max_length=254)
-    password = forms.CharField(label=_("Password"), widget=forms.PasswordInput)
+    password = forms.CharField(
+        label=_("Password"),
+        widget=forms.PasswordInput,
+        max_length=MAXIMUM_PASSWORD_LENGTH,
+    )

    error_messages = {
        'invalid_login': _("Please enter a correct %(username)s and password. "
@@ -279,10 +286,16 @@ class SetPasswordForm(forms.Form):
    error_messages = {
        'password_mismatch': _("The two password fields didn't match."),
    }
-    new_password1 = forms.CharField(label=_("New password"),
-                                    widget=forms.PasswordInput)
-    new_password2 = forms.CharField(label=_("New password confirmation"),
-                                    widget=forms.PasswordInput)
+    new_password1 = forms.CharField(
+        label=_("New password"),
+        widget=forms.PasswordInput,
+        max_length=MAXIMUM_PASSWORD_LENGTH,
+    )
+    new_password2 = forms.CharField(
+        label=_("New password confirmation"),
+        widget=forms.PasswordInput,
+        max_length=MAXIMUM_PASSWORD_LENGTH,
+    )

    def __init__(self, user, *args, **kwargs):
        self.user = user
@@ -315,8 +328,11 @@ class PasswordChangeForm(SetPasswordForm):
        'password_incorrect': _("Your old password was entered incorrectly. "
                                "Please enter it again."),
    })
-    old_password = forms.CharField(label=_("Old password"),
-                                   widget=forms.PasswordInput)
+    old_password = forms.CharField(
+        label=_("Old password"),
+        widget=forms.PasswordInput,
+        max_length=MAXIMUM_PASSWORD_LENGTH,
+    )

    def clean_old_password(self):
        """
@@ -343,10 +359,16 @@ class AdminPasswordChangeForm(forms.Form):
    error_messages = {
        'password_mismatch': _("The two password fields didn't match."),
    }
-    password1 = forms.CharField(label=_("Password"),
-                                widget=forms.PasswordInput)
-    password2 = forms.CharField(label=_("Password (again)"),
-                                widget=forms.PasswordInput)
+    password1 = forms.CharField(
+        label=_("Password"),
+        widget=forms.PasswordInput,
+        max_length=MAXIMUM_PASSWORD_LENGTH,
+    )
+    password2 = forms.CharField(
+        label=_("Password (again)"),
+        widget=forms.PasswordInput,
+        max_length=MAXIMUM_PASSWORD_LENGTH,
+    )

    def __init__(self, user, *args, **kwargs):
        self.user = user

--- a/django/contrib/auth/hashers.py
+++ b/django/contrib/auth/hashers.py
@@ -3,6 +3,7 @@ from __future__ import unicode_literals
 import base64
 import binascii
 from collections import OrderedDict
+import functools
 import hashlib
 import importlib

@@ -19,6 +20,7 @@ from django.utils.translation import ugettext_noop as _

 UNUSABLE_PASSWORD_PREFIX = '!'  # This will never be a valid encoded hash
 UNUSABLE_PASSWORD_SUFFIX_LENGTH = 40  # number of random chars to add after UNUSABLE_PASSWORD_PREFIX
+MAXIMUM_PASSWORD_LENGTH = 4096  # The maximum length a password can be to prevent DoS
 HASHERS = None  # lazily loaded from PASSWORD_HASHERS
 PREFERRED_HASHER = None  # defaults to first item in PASSWORD_HASHERS

@@ -31,6 +33,18 @@ def reset_hashers(**kwargs):
        PREFERRED_HASHER = None


+def password_max_length(max_length):
+    def inner(fn):
+        @functools.wraps(fn)
+        def wrapper(self, password, *args, **kwargs):
+            if len(password) > max_length:
+                raise ValueError("Invalid password; Must be less than or equal"
+                                 " to %d bytes" % max_length)
+            return fn(self, password, *args, **kwargs)
+        return wrapper
+    return inner
+
+
 def is_password_usable(encoded):
    if encoded is None or encoded.startswith(UNUSABLE_PASSWORD_PREFIX):
        return False
@@ -225,6 +239,7 @@ class PBKDF2PasswordHasher(BasePasswordHasher):
    iterations = 10000
    digest = hashlib.sha256

+    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
    def encode(self, password, salt, iterations=None):
        assert password is not None
        assert salt and '$' not in salt
@@ -234,6 +249,7 @@ class PBKDF2PasswordHasher(BasePasswordHasher):
        hash = base64.b64encode(hash).decode('ascii').strip()
        return "%s$%d$%s$%s" % (self.algorithm, iterations, salt, hash)

+    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
    def verify(self, password, encoded):
        algorithm, iterations, salt, hash = encoded.split('$', 3)
        assert algorithm == self.algorithm
@@ -280,6 +296,7 @@ class BCryptSHA256PasswordHasher(BasePasswordHasher):
        bcrypt = self._load_library()
        return bcrypt.gensalt(self.rounds)

+    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
    def encode(self, password, salt):
        bcrypt = self._load_library()
        # Need to reevaluate the force_bytes call once bcrypt is supported on
@@ -297,6 +314,7 @@ class BCryptSHA256PasswordHasher(BasePasswordHasher):
        data = bcrypt.hashpw(password, salt)
        return "%s$%s" % (self.algorithm, force_text(data))

+    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
    def verify(self, password, encoded):
        algorithm, data = encoded.split('$', 1)
        assert algorithm == self.algorithm
@@ -353,12 +371,14 @@ class SHA1PasswordHasher(BasePasswordHasher):
    """
    algorithm = "sha1"

+    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
    def encode(self, password, salt):
        assert password is not None
        assert salt and '$' not in salt
        hash = hashlib.sha1(force_bytes(salt + password)).hexdigest()
        return "%s$%s$%s" % (self.algorithm, salt, hash)

+    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
    def verify(self, password, encoded):
        algorithm, salt, hash = encoded.split('$', 2)
        assert algorithm == self.algorithm
@@ -381,12 +401,14 @@ class MD5PasswordHasher(BasePasswordHasher):
    """
    algorithm = "md5"

+    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
    def encode(self, password, salt):
        assert password is not None
        assert salt and '$' not in salt
        hash = hashlib.md5(force_bytes(salt + password)).hexdigest()
        return "%s$%s$%s" % (self.algorithm, salt, hash)

+    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
    def verify(self, password, encoded):
        algorithm, salt, hash = encoded.split('$', 2)
        assert algorithm == self.algorithm
@@ -417,11 +439,13 @@ class UnsaltedSHA1PasswordHasher(BasePasswordHasher):
    def salt(self):
        return ''

+    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
    def encode(self, password, salt):
        assert salt == ''
        hash = hashlib.sha1(force_bytes(password)).hexdigest()
        return 'sha1$$%s' % hash

+    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
    def verify(self, password, encoded):
        encoded_2 = self.encode(password, '')
        return constant_time_compare(encoded, encoded_2)
@@ -451,10 +475,12 @@ class UnsaltedMD5PasswordHasher(BasePasswordHasher):
    def salt(self):
        return ''

+    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
    def encode(self, password, salt):
        assert salt == ''
        return hashlib.md5(force_bytes(password)).hexdigest()

+    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
    def verify(self, password, encoded):
        if len(encoded) == 37 and encoded.startswith('md5$$'):
            encoded = encoded[5:]
@@ -480,6 +506,7 @@ class CryptPasswordHasher(BasePasswordHasher):
    def salt(self):
        return get_random_string(2)

+    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
    def encode(self, password, salt):
        crypt = self._load_library()
        assert len(salt) == 2
@@ -487,6 +514,7 @@ class CryptPasswordHasher(BasePasswordHasher):
        # we don't need to store the salt, but Django used to do this
        return "%s$%s$%s" % (self.algorithm, '', data)

+    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
    def verify(self, password, encoded):
        crypt = self._load_library()
        algorithm, salt, data = encoded.split('$', 2)
@@ -501,4 +529,3 @@ class CryptPasswordHasher(BasePasswordHasher):
            (_('salt'), salt),
            (_('hash'), mask_hash(data, show=3)),
        ])
-
--- a/django/contrib/auth/tests/test_hashers.py
+++ b/django/contrib/auth/tests/test_hashers.py
@@ -5,9 +5,12 @@ import unittest
 from unittest import skipUnless

 from django.conf.global_settings import PASSWORD_HASHERS as default_hashers
-from django.contrib.auth.hashers import (is_password_usable, BasePasswordHasher,
-    check_password, make_password, PBKDF2PasswordHasher, load_hashers, PBKDF2SHA1PasswordHasher,
-    get_hasher, identify_hasher, UNUSABLE_PASSWORD_PREFIX, UNUSABLE_PASSWORD_SUFFIX_LENGTH)
+from django.contrib.auth.hashers import (
+    is_password_usable, BasePasswordHasher, check_password, make_password,
+    PBKDF2PasswordHasher, load_hashers, PBKDF2SHA1PasswordHasher, get_hasher,
+    identify_hasher, UNUSABLE_PASSWORD_PREFIX, UNUSABLE_PASSWORD_SUFFIX_LENGTH,
+    MAXIMUM_PASSWORD_LENGTH, password_max_length
+)
 from django.utils import six


@@ -39,6 +42,12 @@ class TestUtilsHashPass(unittest.TestCase):
        self.assertTrue(is_password_usable(blank_encoded))
        self.assertTrue(check_password('', blank_encoded))
        self.assertFalse(check_password(' ', blank_encoded))
+        # Long password
+        self.assertRaises(
+            ValueError,
+            make_password,
+            b"1" * (MAXIMUM_PASSWORD_LENGTH + 1),
+        )

    def test_pkbdf2(self):
        encoded = make_password('lètmein', 'seasalt', 'pbkdf2_sha256')
@@ -54,6 +63,14 @@ class TestUtilsHashPass(unittest.TestCase):
        self.assertTrue(is_password_usable(blank_encoded))
        self.assertTrue(check_password('', blank_encoded))
        self.assertFalse(check_password(' ', blank_encoded))
+        # Long password
+        self.assertRaises(
+            ValueError,
+            make_password,
+            b"1" * (MAXIMUM_PASSWORD_LENGTH + 1),
+            "seasalt",
+            "pbkdf2_sha256",
+        )

    def test_sha1(self):
        encoded = make_password('lètmein', 'seasalt', 'sha1')
@@ -69,6 +86,14 @@ class TestUtilsHashPass(unittest.TestCase):
        self.assertTrue(is_password_usable(blank_encoded))
        self.assertTrue(check_password('', blank_encoded))
        self.assertFalse(check_password(' ', blank_encoded))
+        # Long password
+        self.assertRaises(
+            ValueError,
+            make_password,
+            b"1" * (MAXIMUM_PASSWORD_LENGTH + 1),
+            "seasalt",
+            "sha1",
+        )

    def test_md5(self):
        encoded = make_password('lètmein', 'seasalt', 'md5')
@@ -84,6 +109,14 @@ class TestUtilsHashPass(unittest.TestCase):
        self.assertTrue(is_password_usable(blank_encoded))
        self.assertTrue(check_password('', blank_encoded))
        self.assertFalse(check_password(' ', blank_encoded))
+        # Long password
+        self.assertRaises(
+            ValueError,
+            make_password,
+            b"1" * (MAXIMUM_PASSWORD_LENGTH + 1),
+            "seasalt",
+            "md5",
+        )

    def test_unsalted_md5(self):
        encoded = make_password('lètmein', '', 'unsalted_md5')
@@ -102,6 +135,14 @@ class TestUtilsHashPass(unittest.TestCase):
        self.assertTrue(is_password_usable(blank_encoded))
        self.assertTrue(check_password('', blank_encoded))
        self.assertFalse(check_password(' ', blank_encoded))
+        # Long password
+        self.assertRaises(
+            ValueError,
+            make_password,
+            b"1" * (MAXIMUM_PASSWORD_LENGTH + 1),
+            "",
+            "unsalted_md5",
+        )

    def test_unsalted_sha1(self):
        encoded = make_password('lètmein', '', 'unsalted_sha1')
@@ -119,6 +160,14 @@ class TestUtilsHashPass(unittest.TestCase):
        self.assertTrue(is_password_usable(blank_encoded))
        self.assertTrue(check_password('', blank_encoded))
        self.assertFalse(check_password(' ', blank_encoded))
+        # Long password
+        self.assertRaises(
+            ValueError,
+            make_password,
+            b"1" * (MAXIMUM_PASSWORD_LENGTH + 1),
+            "",
+            "unslated_sha1",
+        )

    @skipUnless(crypt, "no crypt module to generate password.")
    def test_crypt(self):
@@ -134,6 +183,14 @@ class TestUtilsHashPass(unittest.TestCase):
        self.assertTrue(is_password_usable(blank_encoded))
        self.assertTrue(check_password('', blank_encoded))
        self.assertFalse(check_password(' ', blank_encoded))
+        # Long password
+        self.assertRaises(
+            ValueError,
+            make_password,
+            b"1" * (MAXIMUM_PASSWORD_LENGTH + 1),
+            "seasalt",
+            "crypt",
+        )

    @skipUnless(bcrypt, "bcrypt not installed")
    def test_bcrypt_sha256(self):
@@ -156,6 +213,13 @@ class TestUtilsHashPass(unittest.TestCase):
        self.assertTrue(is_password_usable(blank_encoded))
        self.assertTrue(check_password('', blank_encoded))
        self.assertFalse(check_password(' ', blank_encoded))
+        # Long password
+        self.assertRaises(
+            ValueError,
+            make_password,
+            b"1" * (MAXIMUM_PASSWORD_LENGTH + 1),
+            hasher="bcrypt_sha256",
+        )

    @skipUnless(bcrypt, "bcrypt not installed")
    def test_bcrypt(self):
@@ -171,6 +235,13 @@ class TestUtilsHashPass(unittest.TestCase):
        self.assertTrue(is_password_usable(blank_encoded))
        self.assertTrue(check_password('', blank_encoded))
        self.assertFalse(check_password(' ', blank_encoded))
+        # Long password
+        self.assertRaises(
+            ValueError,
+            make_password,
+            b"1" * (MAXIMUM_PASSWORD_LENGTH + 1),
+            hasher="bcrypt",
+        )

    def test_unusable(self):
        encoded = make_password(None)
@@ -203,6 +274,14 @@ class TestUtilsHashPass(unittest.TestCase):
        self.assertFalse(is_password_usable('lètmein_badencoded'))
        self.assertFalse(is_password_usable(''))

+    def test_max_password_length_decorator(self):
+        @password_max_length(10)
+        def encode(s, password, salt):
+            return True
+
+        self.assertTrue(encode(None, b"1234", b"1234"))
+        self.assertRaises(ValueError, encode, None, b"1234567890A", b"1234")
+
    def test_low_level_pkbdf2(self):
        hasher = PBKDF2PasswordHasher()
        encoded = hasher.encode('lètmein', 'seasalt')

--- a/docs/releases/1.7.txt
+++ b/docs/releases/1.7.txt
@@ -402,6 +402,14 @@ Miscellaneous
  Rationale behind this is removal of dependency of non-contrib code on
  contrib applications.

+* Passwords longer than 4096 bytes in length will no longer work and will
+  instead raise a ``ValueError`` when using the hasher directory or the
+  built in forms shipped with ``django.contrib.auth`` will fail validation.
+
+  The rationale behind this is a possibility of a Denial of Service attack when
+  using a slow password hasher, such as the default PBKDF2, and sending very
+  large passwords.
+
 Features deprecated in 1.7
 ==========================