diff options
| author | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2020-10-22 13:21:14 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-10-22 13:21:14 +0200 |
| commit | 34180922380cf41cd684f846ecf00f92eb289bcf (patch) | |
| tree | 86beea492d23bfbd5fe758b9ae0fce4de5e6424c /django | |
| parent | 284bde3fbe07485d64289e28014a4eada68aef91 (diff) | |
Fixed #32130 -- Fixed pre-Django 3.1 password reset tokens validation.
Thanks Gordon Wrigley for the report and implementation idea.
Regression in 226ebb17290b604ef29e82fb5c1fbac3594ac163.
Diffstat (limited to 'django')
| -rw-r--r-- | django/contrib/auth/tokens.py | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/django/contrib/auth/tokens.py b/django/contrib/auth/tokens.py index c534f304f3..c3863d1dea 100644 --- a/django/contrib/auth/tokens.py +++ b/django/contrib/auth/tokens.py @@ -1,4 +1,4 @@ -from datetime import datetime +from datetime import datetime, time from django.conf import settings from django.utils.crypto import constant_time_compare, salted_hmac @@ -36,6 +36,8 @@ class PasswordResetTokenGenerator: # Parse the token try: ts_b36, _ = token.split("-") + # RemovedInDjango40Warning. + legacy_token = len(ts_b36) < 4 except ValueError: return False @@ -55,8 +57,14 @@ class PasswordResetTokenGenerator: ): return False + # RemovedInDjango40Warning: convert days to seconds and round to + # midnight (server time) for pre-Django 3.1 tokens. + now = self._now() + if legacy_token: + ts *= 24 * 60 * 60 + ts += int((now - datetime.combine(now.date(), time.min)).total_seconds()) # Check the timestamp is within limit. - if (self._num_seconds(self._now()) - ts) > settings.PASSWORD_RESET_TIMEOUT: + if (self._num_seconds(now) - ts) > settings.PASSWORD_RESET_TIMEOUT: return False return True |
