Skip to content

Improved fixup for bcrypt >= 5.0.0, bcrypt version detection #21

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
notypecheck merged 6 commits into from
Oct 9, 2025
Merged

Improved fixup for bcrypt >= 5.0.0, bcrypt version detection #21

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
2648e24
Fix bcrypt wraparound bug test for bcrypt >= 5.0.0
chapmajs Oct 8, 2025
efa7aa2
Unpin bcrypt < 5.0.0
chapmajs Oct 8, 2025
f6d6523
Fixing bcrypt backend version detection
chapmajs Oct 8, 2025
d7f80d3
Fixing indent in bcrypt.py
chapmajs Oct 8, 2025
10d51a2
Backing out version check change
chapmajs Oct 9, 2025
ea34c47
Removing empty line
chapmajs Oct 9, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 18 additions & 10 deletions passlib/handlers/bcrypt.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -366,17 +366,25 @@ def detect_wrap_bug(ident):
NOTE: if in future we need to deliberately create hashes which have this bug,
can use something like 'hashpw(repeat_string(secret[:((1+secret) % 256) or 1]), 72)'
"""
# check if it exhibits wraparound bug
secret = (b"0123456789" * 26)[:255]
bug_hash = (
ident.encode("ascii")
+ b"04$R1lJ2gkNaoPGdafE.H.16.nVyh2niHsGJhayOHLMiXlI45o8/DU.6"
)
if verify(secret, bug_hash):
return True

# if it doesn't have wraparound bug, make sure it *does* handle things
# correctly -- or we're in some weird third case.
# Secret which will trip the wraparound bug, if present
secret = (b"0123456789"*26)[:255]

# Python bcrypt >= 5.0.0 will raise an exception on passwords greater than 72 characters,
# whereas earlier versions without the wraparound bug silently truncated the input to 72
# characters. See if the exception is generated.
try:
bug_hash = ident.encode("ascii") + b"04$R1lJ2gkNaoPGdafE.H.16.nVyh2niHsGJhayOHLMiXlI45o8/DU.6"

# If we get here, the backend auto-truncates, test for wraparound bug
if verify(secret, bug_hash):
return True
except ValueError:
# Backend explicitly will not auto-truncate, truncate the password to 72 characters
secret = secret[:72]

# Check to make sure that the backend still hashes correctly; if not, we're in a failure case
# not related to the original wraparound bug or bcrypt >= 5.0.0 input length restriction.
correct_hash = (
ident.encode("ascii")
+ b"04$R1lJ2gkNaoPGdafE.H.16.1MKHPvmKwryeulRe225LKProWYwt9Oi"
Expand Down
2 changes: 1 addition & 1 deletion pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ argon2 = [
"argon2-cffi>=18.2.0",
]
bcrypt = [
"bcrypt<5.0.0",
"bcrypt>=3.1.0",
]
totp = [
"cryptography>=43.0.1",
Expand Down