Opened 5 years ago
Last modified 5 years ago
#31375 closed Bug
make_password shouldn't accept values other than bytes or string as an argument — at Initial Version
| Reported by: | iamdavidcz | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.auth | Version: | 3.0 |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Ready for checkin | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Currently make_password function accepts almost every Python object as an argument. This is a strange behaviour and it results directly from force_bytes casting objects to str. We should throw the TypeError when passing anything but bytes or str to make_password.
Reasons:
- users unaware of this strange behaviour can accidentally create weak passwords (potential security issue)
- other libraries throw the
TypeErrorin the same cases (eg. Werkzeug, passlib) - it's inconsistent with the documentation that says:
It takes one mandatory argument: the password in plain-text.
- it's inconsistent with
validate_passwordbehaviour (passing anything butbytesorstrtovalidate_passwordraises theTypeErrorwith defaultsettings.AUTH_PASSWORD_VALIDATORS).
Discussion:
https://groups.google.com/forum/#!topic/django-developers/1Ap0zDjFa4E
Note:
See TracTickets
for help on using tickets.