+64
-14
lines changedFilter options
+64
-14
lines changed Original file line number Diff line number Diff line change
@@ -194,15 +194,6 @@ def clean(self):
194 194
if username is not None and password:
195 195
self.user_cache = authenticate(self.request, username=username, password=password)
196 196
if self.user_cache is None:
197 -
# An authentication backend may reject inactive users. Check
198 -
# if the user exists and is inactive, and raise the 'inactive'
199 -
# error if so.
200 -
try:
201 -
self.user_cache = UserModel._default_manager.get_by_natural_key(username)
202 -
except UserModel.DoesNotExist:
203 -
pass
204 -
else:
205 -
self.confirm_login_allowed(self.user_cache)
206 197
raise forms.ValidationError(
207 198
self.error_messages['invalid_login'],
208 199
code='invalid_login',
@@ -2,9 +2,28 @@
2 2
Django 1.11.10 release notes
3 3
============================
4 4 5 -
*Expected February 1, 2018*
5 +
*February 1, 2018*
6 6 7 -
Django 1.11.10 fixes several bugs in 1.11.9.
7 +
Django 1.11.10 fixes a security issue and several bugs in 1.11.9.
8 + 9 +
CVE-2018-6188: Information leakage in ``AuthenticationForm``
10 +
============================================================
11 + 12 +
A regression in Django 1.11.8 made
13 +
:class:`~django.contrib.auth.forms.AuthenticationForm` run its
14 +
``confirm_login_allowed()`` method even if an incorrect password is entered.
15 +
This can leak information about a user, depending on what messages
16 +
``confirm_login_allowed()`` raises. If ``confirm_login_allowed()`` isn't
17 +
overridden, an attacker enter an arbitrary username and see if that user has
18 +
been set to ``is_active=False``. If ``confirm_login_allowed()`` is overridden,
19 +
more sensitive details could be leaked.
20 + 21 +
This issue is fixed with the caveat that ``AuthenticationForm`` can no longer
22 +
raise the "This account is inactive." error if the authentication backend
23 +
rejects inactive users (the default authentication backend, ``ModelBackend``,
24 +
has done that since Django 1.10). This issue will be revisited for Django 2.1
25 +
as a fix to address the caveat will likely be too invasive for inclusion in
26 +
older versions.
8 27 9 28
Bugfixes
10 29
========
@@ -2,9 +2,28 @@
2 2
Django 2.0.2 release notes
3 3
==========================
4 4 5 -
*Expected February 1, 2018*
6 - 7 -
Django 2.0.2 fixes several bugs in 2.0.1.
5 +
*February 1, 2018*
6 + 7 +
Django 2.0.2 fixes a security issue and several bugs in 2.0.1.
8 + 9 +
CVE-2018-6188: Information leakage in ``AuthenticationForm``
10 +
============================================================
11 + 12 +
A regression in Django 1.11.8 made
13 +
:class:`~django.contrib.auth.forms.AuthenticationForm` run its
14 +
``confirm_login_allowed()`` method even if an incorrect password is entered.
15 +
This can leak information about a user, depending on what messages
16 +
``confirm_login_allowed()`` raises. If ``confirm_login_allowed()`` isn't
17 +
overridden, an attacker enter an arbitrary username and see if that user has
18 +
been set to ``is_active=False``. If ``confirm_login_allowed()`` is overridden,
19 +
more sensitive details could be leaked.
20 + 21 +
This issue is fixed with the caveat that ``AuthenticationForm`` can no longer
22 +
raise the "This account is inactive." error if the authentication backend
23 +
rejects inactive users (the default authentication backend, ``ModelBackend``,
24 +
has done that since Django 1.10). This issue will be revisited for Django 2.1
25 +
as a fix to address the caveat will likely be too invasive for inclusion in
26 +
older versions.
8 27 9 28
Bugfixes
10 29
========
@@ -262,6 +262,9 @@ class Meta(UserCreationForm.Meta):
262 262
)
263 263 264 264 265 +
# To verify that the login form rejects inactive users, use an authentication
266 +
# backend that allows them.
267 +
@override_settings(AUTHENTICATION_BACKENDS=['django.contrib.auth.backends.AllowAllUsersModelBackend'])
265 268
class AuthenticationFormTest(TestDataMixin, TestCase):
266 269 267 270
def test_invalid_username(self):
@@ -291,6 +294,24 @@ def test_inactive_user(self):
291 294
self.assertFalse(form.is_valid())
292 295
self.assertEqual(form.non_field_errors(), [str(form.error_messages['inactive'])])
293 296 297 +
# Use an authentication backend that rejects inactive users.
298 +
@override_settings(AUTHENTICATION_BACKENDS=['django.contrib.auth.backends.ModelBackend'])
299 +
def test_inactive_user_incorrect_password(self):
300 +
"""An invalid login doesn't leak the inactive status of a user."""
301 +
data = {
302 +
'username': 'inactive',
303 +
'password': 'incorrect',
304 +
}
305 +
form = AuthenticationForm(None, data)
306 +
self.assertFalse(form.is_valid())
307 +
self.assertEqual(
308 +
form.non_field_errors(), [
309 +
form.error_messages['invalid_login'] % {
310 +
'username': User._meta.get_field('username').verbose_name
311 +
}
312 +
]
313 +
)
314 + 294 315
def test_login_failed(self):
295 316
signal_calls = []
296 317 You can’t perform that action at this time.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4