粗淺的分析一波django.contrib.auth.hashers.check_password

def check_password(password, encoded, setter=None, preferred=default): """ Returns a boolean of whether the raw password matches the three part encoded digest. If setter is specified, itll be called when you need to regenerate the password. """ if password is None or not is_password_usable(encoded): return False # 判定hash方法，主要!!!!!!!!!! preferred = get_hasher(preferred) # 識別hash演算法 hasher = identify_hasher(encoded) hasher_changed = hasher.algorithm != preferred.algorithm # 如果上面的兩個不相等，那麼就證明更改過密碼的hash演算法hasher_changed=True must_update = hasher_changed or preferred.must_update(encoded) # hasher_changed=True或者用原來的加密方法鑒別密碼 is_correct = hasher.verify(password, encoded) # If the hasher didnt change (we dont protect against enumeration if it # does) and the password should get updated, try to close the timing gap # between the work factor of the current encoded password and the default # work factor. if not is_correct and not hasher_changed and must_update: hasher.harden_runtime(password, encoded) if setter and is_correct and must_update: setter(password) return is_correct

# 主要問題應該是：

if password is None or not is_password_usable(encoded):

return False

如果檢查密碼寫的是

* if request_password == db_password 可能還好

但是如果是：

* if request_password != db_password

request_password == None("")之類的就會出問題

繼續看一些之後的東西

preferred = get_hasher(preferred)# 追蹤該方法 # 判定加密演算法用的哪一個def get_hasher(algorithm=default): """ Returns an instance of a loaded password hasher. If algorithm is default, the default hasher will be returned. This function will also lazy import hashers specified in your settings file if needed. """ if hasattr(algorithm, algorithm): return algorithm elif algorithm == default: # 如果是默認的話就使用這個列表的第一個，看一下這個 return get_hashers()[0] else: hashers = get_hashers_by_algorithm() try: return hashers[algorithm] except KeyError: raise ValueError("Unknown password hashing algorithm %s. " "Did you specify it in the PASSWORD_HASHERS " "setting?" % algorithm)# 追蹤get_hashers（）@lru_cache.lru_cache()# 這是一個有意思的裝飾器，FluntPython裡面有講# 之前在解歐拉計劃的計算斐波拉切數列的時候用過一次，處理遞歸的棧問題def get_hashers(): hashers = [] for hasher_path in settings.PASSWORD_HASHERS: # settings = LazySettings()應該有一個默認settings，有空研究一下這個Class hasher_cls = import_string(hasher_path) hasher = hasher_cls() if not getattr(hasher, algorithm): raise ImproperlyConfigured("hasher doesnt specify an " "algorithm name: %s" % hasher_path) hashers.append(hasher) return hashers

推薦閱讀：