[1.4.x] Ensure that passwords are never long enough for a DoS.

freakboy3742 · freakboy3742 · commit 3f3d887a6844 · 2013-09-15T13:49:16.000+08:00
* Limit the password length to 4096 bytes * Password hashers will raise a ValueError * django.contrib.auth forms will fail validation * Document in release notes that this is a backwards incompatible change Thanks to Josh Wright for the report, and Donald Stufft for the patch. This is a security fix; disclosure to follow shortly. Backport of aae5a96 from master.
diff --git a/django/contrib/auth/forms.py b/django/contrib/auth/forms.py
@@ -8,7 +8,10 @@
 
 from django.contrib.auth import authenticate
 from django.contrib.auth.models import User
-from django.contrib.auth.hashers import UNUSABLE_PASSWORD, is_password_usable, get_hasher
+from django.contrib.auth.hashers import (
+    MAXIMUM_PASSWORD_LENGTH, UNUSABLE_PASSWORD,
+    is_password_usable, get_hasher
+)
 from django.contrib.auth.tokens import default_token_generator
 from django.contrib.sites.models import get_current_site
 
@@ -70,10 +73,11 @@ class UserCreationForm(forms.ModelForm):
             'invalid': _("This value may contain only letters, numbers and "
                          "@/./+/-/_ characters.")})
     password1 = forms.CharField(label=_("Password"),
-        widget=forms.PasswordInput)
+        widget=forms.PasswordInput, max_length=MAXIMUM_PASSWORD_LENGTH)
     password2 = forms.CharField(label=_("Password confirmation"),
         widget=forms.PasswordInput,
-        help_text = _("Enter the same password as above, for verification."))
+        max_length=MAXIMUM_PASSWORD_LENGTH,
+        help_text=_("Enter the same password as above, for verification."))
 
     class Meta:
         model = User
@@ -137,7 +141,11 @@ class AuthenticationForm(forms.Form):
     username/password logins.
     """
     username = forms.CharField(label=_("Username"), max_length=30)
-    password = forms.CharField(label=_("Password"), widget=forms.PasswordInput)
+    password = forms.CharField(
+        label=_("Password"),
+        widget=forms.PasswordInput,
+        max_length=MAXIMUM_PASSWORD_LENGTH,
+    )
 
     error_messages = {
         'invalid_login': _("Please enter a correct username and password. "
@@ -250,10 +258,16 @@ class SetPasswordForm(forms.Form):
     error_messages = {
         'password_mismatch': _("The two password fields didn't match."),
     }
-    new_password1 = forms.CharField(label=_("New password"),
-                                    widget=forms.PasswordInput)
-    new_password2 = forms.CharField(label=_("New password confirmation"),
-                                    widget=forms.PasswordInput)
+    new_password1 = forms.CharField(
+        label=_("New password"),
+        widget=forms.PasswordInput,
+        max_length=MAXIMUM_PASSWORD_LENGTH,
+    )
+    new_password2 = forms.CharField(
+        label=_("New password confirmation"),
+        widget=forms.PasswordInput,
+        max_length=MAXIMUM_PASSWORD_LENGTH,
+    )
 
     def __init__(self, user, *args, **kwargs):
         self.user = user
@@ -284,8 +298,11 @@ class PasswordChangeForm(SetPasswordForm):
         'password_incorrect': _("Your old password was entered incorrectly. "
                                 "Please enter it again."),
     })
-    old_password = forms.CharField(label=_("Old password"),
-                                   widget=forms.PasswordInput)
+    old_password = forms.CharField(
+        label=_("Old password"),
+        widget=forms.PasswordInput,
+        max_length=MAXIMUM_PASSWORD_LENGTH,
+    )
 
     def clean_old_password(self):
         """
@@ -307,10 +324,16 @@ class AdminPasswordChangeForm(forms.Form):
     error_messages = {
         'password_mismatch': _("The two password fields didn't match."),
     }
-    password1 = forms.CharField(label=_("Password"),
-                                widget=forms.PasswordInput)
-    password2 = forms.CharField(label=_("Password (again)"),
-                                widget=forms.PasswordInput)
+    password1 = forms.CharField(
+        label=_("Password"),
+        widget=forms.PasswordInput,
+        max_length=MAXIMUM_PASSWORD_LENGTH,
+    )
+    password2 = forms.CharField(
+        label=_("Password (again)"),
+        widget=forms.PasswordInput,
+        max_length=MAXIMUM_PASSWORD_LENGTH,
+    )
 
     def __init__(self, user, *args, **kwargs):
         self.user = user
diff --git a/django/contrib/auth/hashers.py b/django/contrib/auth/hashers.py
@@ -1,3 +1,4 @@
+import functools
 import hashlib
 
 from django.conf import settings
@@ -11,10 +12,23 @@
 
 
 UNUSABLE_PASSWORD = '!'  # This will never be a valid encoded hash
+MAXIMUM_PASSWORD_LENGTH = 4096  # The maximum length a password can be to prevent DoS
 HASHERS = None  # lazily loaded from PASSWORD_HASHERS
 PREFERRED_HASHER = None  # defaults to first item in PASSWORD_HASHERS
 
 
+def password_max_length(max_length):
+    def inner(fn):
+        @functools.wraps(fn)
+        def wrapper(self, password, *args, **kwargs):
+            if len(password) > max_length:
+                raise ValueError("Invalid password; Must be less than or equal"
+                                 " to %d bytes" % max_length)
+            return fn(self, password, *args, **kwargs)
+        return wrapper
+    return inner
+
+
 def is_password_usable(encoded):
     return (encoded is not None and encoded != UNUSABLE_PASSWORD)
 
@@ -202,6 +216,7 @@ class PBKDF2PasswordHasher(BasePasswordHasher):
     iterations = 10000
     digest = hashlib.sha256
 
+    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
     def encode(self, password, salt, iterations=None):
         assert password
         assert salt and '$' not in salt
@@ -211,6 +226,7 @@ def encode(self, password, salt, iterations=None):
         hash = hash.encode('base64').strip()
         return "%s$%d$%s$%s" % (self.algorithm, iterations, salt, hash)
 
+    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
     def verify(self, password, encoded):
         algorithm, iterations, salt, hash = encoded.split('$', 3)
         assert algorithm == self.algorithm
@@ -256,11 +272,13 @@ def salt(self):
         bcrypt = self._load_library()
         return bcrypt.gensalt(self.rounds)
 
+    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
     def encode(self, password, salt):
         bcrypt = self._load_library()
         data = bcrypt.hashpw(password, salt)
         return "%s$%s" % (self.algorithm, data)
 
+    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
     def verify(self, password, encoded):
         algorithm, data = encoded.split('$', 1)
         assert algorithm == self.algorithm
@@ -285,12 +303,14 @@ class SHA1PasswordHasher(BasePasswordHasher):
     """
     algorithm = "sha1"
 
+    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
     def encode(self, password, salt):
         assert password
         assert salt and '$' not in salt
         hash = hashlib.sha1(salt + password).hexdigest()
         return "%s$%s$%s" % (self.algorithm, salt, hash)
 
+    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
     def verify(self, password, encoded):
         algorithm, salt, hash = encoded.split('$', 2)
         assert algorithm == self.algorithm
@@ -313,12 +333,14 @@ class MD5PasswordHasher(BasePasswordHasher):
     """
     algorithm = "md5"
 
+    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
     def encode(self, password, salt):
         assert password
         assert salt and '$' not in salt
         hash = hashlib.md5(salt + password).hexdigest()
         return "%s$%s$%s" % (self.algorithm, salt, hash)
 
+    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
     def verify(self, password, encoded):
         algorithm, salt, hash = encoded.split('$', 2)
         assert algorithm == self.algorithm
@@ -349,11 +371,13 @@ class UnsaltedSHA1PasswordHasher(BasePasswordHasher):
     def salt(self):
         return ''
 
+    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
     def encode(self, password, salt):
         assert salt == ''
         hash = hashlib.sha1(password).hexdigest()
         return 'sha1$$%s' % hash
 
+    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
     def verify(self, password, encoded):
         encoded_2 = self.encode(password, '')
         return constant_time_compare(encoded, encoded_2)
@@ -383,10 +407,12 @@ class UnsaltedMD5PasswordHasher(BasePasswordHasher):
     def salt(self):
         return ''
 
+    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
     def encode(self, password, salt):
         assert salt == ''
         return hashlib.md5(password).hexdigest()
 
+    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
     def verify(self, password, encoded):
         if len(encoded) == 37 and encoded.startswith('md5$$'):
             encoded = encoded[5:]
@@ -412,13 +438,15 @@ class CryptPasswordHasher(BasePasswordHasher):
     def salt(self):
         return get_random_string(2)
 
+    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
     def encode(self, password, salt):
         crypt = self._load_library()
         assert len(salt) == 2
         data = crypt.crypt(password, salt)
         # we don't need to store the salt, but Django used to do this
         return "%s$%s$%s" % (self.algorithm, '', data)
 
+    @password_max_length(MAXIMUM_PASSWORD_LENGTH)
     def verify(self, password, encoded):
         crypt = self._load_library()
         algorithm, salt, data = encoded.split('$', 2)
@@ -433,4 +461,3 @@ def safe_summary(self, encoded):
             (_('salt'), salt),
             (_('hash'), mask_hash(data, show=3)),
         ])
-
diff --git a/django/contrib/auth/tests/hashers.py b/django/contrib/auth/tests/hashers.py
@@ -1,7 +1,8 @@
 from django.conf.global_settings import PASSWORD_HASHERS as default_hashers
 from django.contrib.auth.hashers import (is_password_usable,
     check_password, make_password, PBKDF2PasswordHasher, load_hashers,
-    PBKDF2SHA1PasswordHasher, get_hasher, UNUSABLE_PASSWORD)
+    PBKDF2SHA1PasswordHasher, get_hasher, UNUSABLE_PASSWORD,
+    MAXIMUM_PASSWORD_LENGTH, password_max_length)
 from django.utils import unittest
 from django.utils.unittest import skipUnless
 from django.test.utils import override_settings
@@ -28,6 +29,12 @@ def test_simple(self):
         self.assertTrue(is_password_usable(encoded))
         self.assertTrue(check_password(u'letmein', encoded))
         self.assertFalse(check_password('letmeinz', encoded))
+        # Long password
+        self.assertRaises(
+            ValueError,
+            make_password,
+            b"1" * (MAXIMUM_PASSWORD_LENGTH + 1),
+        )
 
     def test_pkbdf2(self):
         encoded = make_password('letmein', 'seasalt', 'pbkdf2_sha256')
@@ -36,6 +43,14 @@ def test_pkbdf2(self):
         self.assertTrue(is_password_usable(encoded))
         self.assertTrue(check_password(u'letmein', encoded))
         self.assertFalse(check_password('letmeinz', encoded))
+        # Long password
+        self.assertRaises(
+            ValueError,
+            make_password,
+            b"1" * (MAXIMUM_PASSWORD_LENGTH + 1),
+            "seasalt",
+            "pbkdf2_sha256",
+        )
 
     def test_sha1(self):
         encoded = make_password('letmein', 'seasalt', 'sha1')
@@ -44,6 +59,14 @@ def test_sha1(self):
         self.assertTrue(is_password_usable(encoded))
         self.assertTrue(check_password(u'letmein', encoded))
         self.assertFalse(check_password('letmeinz', encoded))
+        # Long password
+        self.assertRaises(
+            ValueError,
+            make_password,
+            b"1" * (MAXIMUM_PASSWORD_LENGTH + 1),
+            "seasalt",
+            "sha1",
+        )
 
     def test_md5(self):
         encoded = make_password('letmein', 'seasalt', 'md5')
@@ -52,6 +75,14 @@ def test_md5(self):
         self.assertTrue(is_password_usable(encoded))
         self.assertTrue(check_password(u'letmein', encoded))
         self.assertFalse(check_password('letmeinz', encoded))
+        # Long password
+        self.assertRaises(
+            ValueError,
+            make_password,
+            b"1" * (MAXIMUM_PASSWORD_LENGTH + 1),
+            "seasalt",
+            "md5",
+        )
 
     def test_unsalted_md5(self):
         encoded = make_password('letmein', '', 'unsalted_md5')
@@ -64,6 +95,14 @@ def test_unsalted_md5(self):
         self.assertTrue(is_password_usable(alt_encoded))
         self.assertTrue(check_password(u'letmein', alt_encoded))
         self.assertFalse(check_password('letmeinz', alt_encoded))
+        # Long password
+        self.assertRaises(
+            ValueError,
+            make_password,
+            b"1" * (MAXIMUM_PASSWORD_LENGTH + 1),
+            "",
+            "unsalted_md5",
+        )
 
     def test_unsalted_sha1(self):
         encoded = make_password('letmein', '', 'unsalted_sha1')
@@ -74,6 +113,14 @@ def test_unsalted_sha1(self):
         # Raw SHA1 isn't acceptable
         alt_encoded = encoded[6:]
         self.assertRaises(ValueError, check_password, 'letmein', alt_encoded)
+        # Long password
+        self.assertRaises(
+            ValueError,
+            make_password,
+            b"1" * (MAXIMUM_PASSWORD_LENGTH + 1),
+            "",
+            "unslated_sha1",
+        )
 
     @skipUnless(crypt, "no crypt module to generate password.")
     def test_crypt(self):
@@ -82,6 +129,14 @@ def test_crypt(self):
         self.assertTrue(is_password_usable(encoded))
         self.assertTrue(check_password(u'letmein', encoded))
         self.assertFalse(check_password('letmeinz', encoded))
+        # Long password
+        self.assertRaises(
+            ValueError,
+            make_password,
+            b"1" * (MAXIMUM_PASSWORD_LENGTH + 1),
+            "seasalt",
+            "crypt",
+        )
 
     @skipUnless(bcrypt, "py-bcrypt not installed")
     def test_bcrypt(self):
@@ -90,6 +145,13 @@ def test_bcrypt(self):
         self.assertTrue(encoded.startswith('bcrypt$'))
         self.assertTrue(check_password(u'letmein', encoded))
         self.assertFalse(check_password('letmeinz', encoded))
+        # Long password
+        self.assertRaises(
+            ValueError,
+            make_password,
+            b"1" * (MAXIMUM_PASSWORD_LENGTH + 1),
+            hasher="bcrypt",
+        )
 
     def test_unusable(self):
         encoded = make_password(None)
@@ -105,6 +167,14 @@ def doit():
             make_password('letmein', hasher='lolcat')
         self.assertRaises(ValueError, doit)
 
+    def test_max_password_length_decorator(self):
+        @password_max_length(10)
+        def encode(s, password, salt):
+            return True
+
+        self.assertTrue(encode(None, b"1234", b"1234"))
+        self.assertRaises(ValueError, encode, None, b"1234567890A", b"1234")
+
     def test_low_level_pkbdf2(self):
         hasher = PBKDF2PasswordHasher()
         encoded = hasher.encode('letmein', 'seasalt')
