haiwen/seahub
1
0
Fork 0
mirror of https://github.com/haiwen/seahub.git synced 2025-04-27 02:51:00 +00:00
Code Issues Releases Wiki Activity
5eb303c76b
seahub/seahub/password_session/handlers.py
seafile-dev 5eb303c76b
fix Use of a broken or weak cryptographic hashing (#7671) 
Co-authored-by: lian <imwhatiam123@gmail.com>
2025-03-29 13:16:01 +08:00

37 lines
1.3 KiB
Python
Raw Blame History

# Copyright (c) 2012-2016 Seafile Ltd.
from django.conf import settings
from django.dispatch import receiver
from hashlib import md5
from seahub.auth.signals import user_logged_in
PASSWORD_HASH_KEY = getattr(settings, 'PASSWORD_SESSION_PASSWORD_HASH_KEY', 'password_session_password_hash_key')
def get_password_hash(user):
"""Returns a string of crypted password hash"""
password = user.enc_password or ''
# To achieve "invalidate all active sessions after change password",
# a hash value generated based on the user password is stored in the session,
# and compare it for each request in the MIDDLEWARE.
return md5(
md5(password.encode()).hexdigest().encode() + settings.SECRET_KEY.encode()
).hexdigest()
def update_session_auth_hash(request, user):
"""
Updates a session hash to prevent logging out `user` from a current session.
If `request.user` is defined through ``AuthenticationMiddleware``
then make sure that `user` the same as `request.user`.
"""
if not hasattr(request, 'user') or request.user == user:
request.session[PASSWORD_HASH_KEY] = get_password_hash(user)
@receiver(user_logged_in)
def on_login(sender, user, request, **kwargs):
"""Saves password hash in session"""
update_session_auth_hash(request, user)
Reference in New Issue View Git Blame Copy Permalink