diff options
| author | Carlton Gibson <carlton.gibson@noumenal.es> | 2018-09-13 15:08:41 +0200 |
|---|---|---|
| committer | Carlton Gibson <carlton.gibson@noumenal.es> | 2018-10-01 10:05:01 +0200 |
| commit | bf39978a53f117ca02e9a0c78b76664a41a54745 (patch) | |
| tree | 975d3beb98aebfc5b84d2de14c4f6382a73aaf68 /tests/auth_tests | |
| parent | a4932be483368d17d907d8d5492c4701a6631d87 (diff) | |
Fixed CVE-2018-16984 -- Fixed password hash disclosure to admin "view only" users.
Thanks Claude Paroz & Tim Graham for collaborating on the patch.
Diffstat (limited to 'tests/auth_tests')
| -rw-r--r-- | tests/auth_tests/test_views.py | 27 |
1 files changed, 26 insertions, 1 deletions
diff --git a/tests/auth_tests/test_views.py b/tests/auth_tests/test_views.py index 0facae74d4..f29f5f0949 100644 --- a/tests/auth_tests/test_views.py +++ b/tests/auth_tests/test_views.py @@ -15,11 +15,12 @@ from django.contrib.auth import ( from django.contrib.auth.forms import ( AuthenticationForm, PasswordChangeForm, SetPasswordForm, ) -from django.contrib.auth.models import User +from django.contrib.auth.models import Permission, User from django.contrib.auth.views import ( INTERNAL_RESET_SESSION_TOKEN, LoginView, logout_then_login, redirect_to_login, ) +from django.contrib.contenttypes.models import ContentType from django.contrib.sessions.middleware import SessionMiddleware from django.contrib.sites.requests import RequestSite from django.core import mail @@ -1098,6 +1099,11 @@ class LogoutTest(AuthViewsTestCase): self.assertRedirects(response, '/logout/', fetch_redirect_response=False) +def get_perm(Model, perm): + ct = ContentType.objects.get_for_model(Model) + return Permission.objects.get(content_type=ct, codename=perm) + + # Redirect in test_user_change_password will fail if session auth hash # isn't updated after password change (#21649) @override_settings(ROOT_URLCONF='auth_tests.urls_admin') @@ -1211,6 +1217,25 @@ class ChangelistTests(AuthViewsTestCase): (_request, user), _kwargs = has_change_permission.call_args self.assertEqual(user.pk, self.admin.pk) + def test_view_user_password_is_readonly(self): + u = User.objects.get(username='testclient') + u.is_superuser = False + u.save() + u.user_permissions.add(get_perm(User, 'view_user')) + response = self.client.get(reverse('auth_test_admin:auth_user_change', args=(u.pk,)),) + algo, salt, hash_string = (u.password.split('$')) + self.assertContains(response, '<div class="readonly">testclient</div>') + # ReadOnlyPasswordHashWidget is used to render the field. + self.assertContains( + response, + '<strong>algorithm</strong>: %s\n\n' + '<strong>salt</strong>: %s**********\n\n' + '<strong>hash</strong>: %s**************************\n\n' % ( + algo, salt[:2], hash_string[:6], + ), + html=True, + ) + @override_settings( AUTH_USER_MODEL='auth_tests.UUIDUser', |