I think that the root question here is: should we allow users to create
passwords from anything that is not str? Now seems like make_password
function allows to do that (Django 3.0.4):
In [1]: make_password(True)
Out[1]:
'pbkdf2_sha256$180000$WXVqmAhNTScA$bAiYHSr2fs3LbccZ+mDOAqE0vhYCPUOTVtot+TDTgSU='
In [2]: make_password(False)
Out[2]:
'pbkdf2_sha256$180000$19XGmulpDIUE$XbaYmfcbwPvlekI5RltSbRRJnfqLS7mfigb88VveOBY='
In [3]: make_password(list)
Out[3]:
'pbkdf2_sha256$180000$RkRlYdoMjKhR$QpSMO7wPNo3TVCGZk0BR1zolUI69OE2PFB7N3DYfBE0='
In [4]: make_password(frozenset)
Out[4]:
'pbkdf2_sha256$180000$qY0D7n7Q36Tb$1BDA0JcC0uz9RTIepDvcviU5O23WL/Cs/O9NX25fy18='
In [5]: make_password([1, 2, 3, {"hello": "world"}])
Out[5]:
'pbkdf2_sha256$180000$B4rNXyIZDrzM$pbdM797yYZzWu04WUrcZXBNNUwojSXZREkrbprxeP0A='
Many projects are actually checking the if the password is a str throwing
the TypeError if it's not. I don't quite understand why Django should be an
exception in this case...
https://fossies.org/linux/openslides/openslides/users/views.py#l_189
https://github.com/golismero/openvas_lib/blob/master/openvas_lib/common.py#L232
https://github.com/firebase/firebase-admin-python/blob/master/firebase_admin/_auth_utils.py#L73
On Thursday, 12 March 2020 00:06:44 UTC+1, Dawid Czeluśniak wrote:
>
> Hi all,
>
> I've noticed that both set_password and check_password methods accept
> values other than str as parameters. For example I'm able to set password
> to boolean values:
>
> In [1]: u.set_password(True)
>
> In [2]: u.save()
>
> In [3]: u.refresh_from_db()
>
> In [4]: u.check_password(True)
> Out[4]: True
>
> In [5]: u.check_password('True')
> Out[5]: True
>
> What is even weirder, I'm able to set password as Exception class:
>
> In [1]: u.set_password(Exception)
>
> In [2]: u.save()
>
> In [3]: u.refresh_from_db()
>
> In [4]: u.check_password(repr(Exception))
> Out[4]: True
>
> and the User instance itself:
>
> In [1]: u.set_password(u)
>
> In [2]: u.save()
>
> In [3]: u.refresh_from_db()
>
> In [4]: u.check_password(u)
> Out[4]: True
>
> In [5]: u.check_password(str(u))
> Out[5]: True
>
> IMHO this is not correct behaviour especially because Django documentation
> implies that these methods accept strings.
>
> set_password(raw_password)
>> Sets the user’s password to the given *raw string*, taking care of the
>> password hashing. Doesn’t save the User object.
>>
>> check_password(raw_password)
>> Returns True if the given *raw string* is the correct password for the
>> user. (This takes care of the password hashing in making the comparison.)
>
>
> Please let me know if this is reproducible on your side.
>
> Dawid
>
--
You received this message because you are subscribed to the Google Groups
"Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-developers/8fe07285-ab2d-4a1f-9121-e6a6cae491af%40googlegroups.com.
