nik/FreedomBox
1
0
Fork 0
mirror of https://github.com/freedombox/FreedomBox.git synced 2026-01-21 07:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

django: Use Argon2 password hash

Browse Source 
Passwords will be automatically upgraded for each user on login.

Usernames not yet upgraded are vulnerable to user enumeration attack due to
difference in password check timing.

No need to add build dependency on python3-argon2 because tests use a different
Django configuration which does not use argon2 hash.

Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
This commit is contained in:
Sunil Mohan Adapa 2019-01-07 14:10:25 -08:00 committed by James Valleroy
parent 039461b846
commit 1faee11d4d
No known key found for this signature in database
GPG Key ID: 77C0C75E7B650808
2 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
debian/control vendored
View File

@ -79,6 +79,7 @@ Depends:
ppp,
pppoe,
python3-apt,
python3-argon2,
python3-augeas,
python3-bootstrapform,
python3-cherrypy3,

6
plinth/web_framework.py
View File

@ -135,6 +135,12 @@ def init():
'plinth.modules.first_boot.middleware.FirstBootMiddleware',
'plinth.middleware.SetupMiddleware',
),
PASSWORD_HASHERS=[
'django.contrib.auth.hashers.Argon2PasswordHasher',
'django.contrib.auth.hashers.PBKDF2PasswordHasher',
'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
'django.contrib.auth.hashers.BCryptSHA256PasswordHasher',
],
ROOT_URLCONF='plinth.urls',
SECURE_BROWSER_XSS_FILTER=True,
SECURE_CONTENT_TYPE_NOSNIFF=True,