summaryrefslogtreecommitdiff
path: root/django
diff options
context:
space:
mode:
authorMariusz Felisiak <felisiak.mariusz@gmail.com>2020-10-22 13:21:14 +0200
committerGitHub <noreply@github.com>2020-10-22 13:21:14 +0200
commit34180922380cf41cd684f846ecf00f92eb289bcf (patch)
tree86beea492d23bfbd5fe758b9ae0fce4de5e6424c /django
parent284bde3fbe07485d64289e28014a4eada68aef91 (diff)
Fixed #32130 -- Fixed pre-Django 3.1 password reset tokens validation.
Thanks Gordon Wrigley for the report and implementation idea. Regression in 226ebb17290b604ef29e82fb5c1fbac3594ac163.
Diffstat (limited to 'django')
-rw-r--r--django/contrib/auth/tokens.py12
1 files changed, 10 insertions, 2 deletions
diff --git a/django/contrib/auth/tokens.py b/django/contrib/auth/tokens.py
index c534f304f3..c3863d1dea 100644
--- a/django/contrib/auth/tokens.py
+++ b/django/contrib/auth/tokens.py
@@ -1,4 +1,4 @@
-from datetime import datetime
+from datetime import datetime, time
from django.conf import settings
from django.utils.crypto import constant_time_compare, salted_hmac
@@ -36,6 +36,8 @@ class PasswordResetTokenGenerator:
# Parse the token
try:
ts_b36, _ = token.split("-")
+ # RemovedInDjango40Warning.
+ legacy_token = len(ts_b36) < 4
except ValueError:
return False
@@ -55,8 +57,14 @@ class PasswordResetTokenGenerator:
):
return False
+ # RemovedInDjango40Warning: convert days to seconds and round to
+ # midnight (server time) for pre-Django 3.1 tokens.
+ now = self._now()
+ if legacy_token:
+ ts *= 24 * 60 * 60
+ ts += int((now - datetime.combine(now.date(), time.min)).total_seconds())
# Check the timestamp is within limit.
- if (self._num_seconds(self._now()) - ts) > settings.PASSWORD_RESET_TIMEOUT:
+ if (self._num_seconds(now) - ts) > settings.PASSWORD_RESET_TIMEOUT:
return False
return True