Opened 5 years ago

Last modified 5 years ago

#31375 closed Bug

make_password shouldn't accept values other than bytes or string as an argument — at Version 1

Reported by: iamdavidcz Owned by: nobody
Component: contrib.auth Version: 3.0
Severity: Normal Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by iamdavidcz)

Currently make_password function accepts almost every Python object as an argument. This is a strange behaviour and it results directly from force_bytes casting objects to str. We should throw the TypeError when passing anything but bytes or str to make_password.

Reasons:

  • programmers unaware of this strange behaviour can accidentally create weak passwords (potential security issue)
  • other libraries raise the TypeError in the same cases (eg. Werkzeug, passlib)
  • it's inconsistent with the documentation that says:

    It takes one mandatory argument: the password in plain-text.

  • it's inconsistent with validate_password behaviour (passing anything but bytes or str to validate_password raises the TypeError with default settings.AUTH_PASSWORD_VALIDATORS).

Discussion:

https://groups.google.com/forum/#!topic/django-developers/1Ap0zDjFa4E

Change History (1)

comment:1 by iamdavidcz, 5 years ago

Description: modified (diff)
Note: See TracTickets for help on using tickets.
Back to Top