Adam, One question I have is - did you experience any real world issue with this?
Personally I didn't, but I can imagine scenarios where this *could* be an issue for other programmers. Suppose you want to create a password hash from another SHA256 hash, but you're only a human <https://www.youtube.com/watch?v=L3wKzyIN1yk> and you forget to call hexdigest() on the sha object: In [1]: import hashlib In [2]: password = hashlib.sha256('some_dummy_password'.encode()) In [3]: password Out[3]: <sha256 HASH object @ 0x111d9f180> In [4]: user.set_password(password) In [5]: user.check_password('<sha256 HASH object @ 0x111d9f180>') Out[5]: True Indeed, you may think that this is a pretty uncommon scenario, but it *could* happen. For some reason libraries like Werkzeug <https://palletsprojects.com/p/werkzeug/> and passlib <https://passlib.readthedocs.io/en/stable/> raise the TypeError in this case and therefore a programmer can actually see that something is wrong. On the other hand, Django fails silently and the application will save a wrong password to the database. Yes, there are no doubts that in the end it's programmer's fault, but on the Django's main page we can read: Django takes security seriously and helps developers avoid many common > security mistakes. > I believe that adding a type guard to make_password function will help developers avoid a security mistake. We could add type guards to many of the thousands of functions in Django to > prevent potential bugs. > Of course we could, but that would be useless and waste of time. The question is if a function is important enough to add a type guard. Well, I think that function that is responsible for generating password hashes *is* important from the security perspective. And it seems that creators of Werkzeug <https://palletsprojects.com/p/werkzeug/> and passlib <https://passlib.readthedocs.io/en/stable/> libraries think so as well. But if you think the opposite, I'm fine with that. In this case, a small change in the documentation on make_password behaviour might be helpful. Thanks, Dawid -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAHzshFusSJr0QN46TN%3DLQ2PQ03b9XaceKRDkQ2%2B961wqWL%2Bjxw%40mail.gmail.com.
