From 1faee11d4dc4bb3299ae2fd8baec9b29f271f758 Mon Sep 17 00:00:00 2001
From: Sunil Mohan Adapa <sunil@medhas.org>
Date: Mon, 7 Jan 2019 14:10:25 -0800
Subject: [PATCH] django: Use Argon2 password hash

Passwords will be automatically upgraded for each user on login.

Usernames not yet upgraded are vulnerable to user enumeration attack due to
difference in password check timing.

No need to add build dependency on python3-argon2 because tests use a different
Django configuration which does not use argon2 hash.

Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
---
 debian/control          | 1 +
 plinth/web_framework.py | 6 ++++++
 2 files changed, 7 insertions(+)

diff --git a/debian/control b/debian/control
index c14ecc298..917026448 100644
--- a/debian/control
+++ b/debian/control
@@ -79,6 +79,7 @@ Depends:
  ppp,
  pppoe,
  python3-apt,
+ python3-argon2,
  python3-augeas,
  python3-bootstrapform,
  python3-cherrypy3,
diff --git a/plinth/web_framework.py b/plinth/web_framework.py
index cb203e1c9..19eee0eac 100644
--- a/plinth/web_framework.py
+++ b/plinth/web_framework.py
@@ -135,6 +135,12 @@ def init():
             'plinth.modules.first_boot.middleware.FirstBootMiddleware',
             'plinth.middleware.SetupMiddleware',
         ),
+        PASSWORD_HASHERS=[
+            'django.contrib.auth.hashers.Argon2PasswordHasher',
+            'django.contrib.auth.hashers.PBKDF2PasswordHasher',
+            'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
+            'django.contrib.auth.hashers.BCryptSHA256PasswordHasher',
+        ],
         ROOT_URLCONF='plinth.urls',
         SECURE_BROWSER_XSS_FILTER=True,
         SECURE_CONTENT_TYPE_NOSNIFF=True,