Jake Howard d72cc3be3b [6.0.x] Fixed CVE-2025-13473 -- Standardized timing of check_password() in mod_wsgi auth handler. ...

Refs CVE-2024-39329, #20760.

Thanks Stackered for the report, and Jacob Walls and Markus Holtermann
for the reviews.

Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>

Backport of 3eb814e02a from main.

2026-02-03 07:59:11 -05:00

..

fixtures

Converted test fixtures to setUpTestData methods

2015-03-05 10:10:32 +11:00

models

Fixed #36087 -- Supported password reset on a custom user model with a composite primary key.

2025-01-13 15:51:21 +01:00

templates

Fixed spelling of "nonexistent".

2017-02-03 08:01:45 -05:00

__init__.py

Moved contrib.auth tests out of contrib.

2015-02-11 10:19:22 -05:00

backend_alias.py

Refs #33476 -- Reformatted code with Black.

2022-02-07 20:37:05 +01:00

client.py

Refs #33476 -- Reformatted code with Black.

2022-02-07 20:37:05 +01:00

common-passwords-custom.txt

Fixed #16860 -- Added password validation to django.contrib.auth.

2015-06-07 19:31:20 +02:00

settings.py

Refs #33476 -- Reformatted code with Black.

2022-02-07 20:37:05 +01:00

test_admin_multidb.py

Fixed #35520 -- Avoided opening transaction for read-only ModelAdmin requests.

2024-07-04 11:38:58 +02:00

test_auth_backends.py

Refs #36500 -- Rewrapped long docstrings and block comments via a script.

2025-07-23 20:17:55 -03:00

test_basic.py

Refs #36500 -- Rewrapped long docstrings and block comments via a script.

2025-07-23 20:17:55 -03:00

test_checks.py

Fixed #31405 -- Added LoginRequiredMiddleware.

2024-05-22 08:51:17 +02:00

test_context_processors.py

Refs #36500 -- Rewrapped long docstrings and block comments via a script.

2025-07-23 20:17:55 -03:00

test_decorators.py

Refs #35844 -- Used asgiref.sync.iscoroutinefunction() instead of deprecated asyncio.iscoroutinefunction().

2024-10-17 10:15:10 -03:00

test_forms.py

[6.0.x] Refs #31223 -- Added __class_getitem__() to SetPasswordMixin.

2025-10-14 08:15:01 -04:00

test_handlers.py

[6.0.x] Fixed CVE-2025-13473 -- Standardized timing of check_password() in mod_wsgi auth handler.

2026-02-03 07:59:11 -05:00

test_hashers.py

Refs #36500 -- Rewrapped long docstrings and block comments via a script.

2025-07-23 20:17:55 -03:00

test_login.py

Fixed #35530 -- Deprecated request.user fallback in auth.login and auth.alogin.

2024-11-28 17:43:46 +01:00

test_management.py

[6.0.x] Fixed #36843, #36793 -- Reverted "Fixed #27489 -- Renamed permissions upon model renaming in migrations."

2026-01-05 15:48:23 -05:00

test_middleware.py

Fixed #36603 -- Optimized check order in LoginRequiredMiddleware.

2025-09-11 11:09:53 +02:00

test_migrations.py

Refs #33476 -- Reformatted code with Black.

2022-02-07 20:37:05 +01:00

test_mixins.py

Refs #33476 -- Applied Black's 2023 stable style.

2023-02-01 11:04:38 +01:00

test_models.py

Fixed #35303 -- Implemented async auth backends and utils.

2024-10-07 14:19:41 +02:00

test_remote_user.py

Refs #36500 -- Rewrapped long docstrings and block comments via a script.

2025-07-23 20:17:55 -03:00

test_signals.py

Used addCleanup() in tests where appropriate.

2023-12-31 10:01:31 +01:00

test_templates.py

Refs #35706 -- Prefixed 'Error:' to titles of admin pages with form errors.

2024-09-02 15:19:33 +02:00

test_templatetags.py

Refs #35959 -- Added render_password_as_hash auth template tag for password rendering.

2025-04-17 12:00:20 -03:00

test_tokens.py

Refs #33476 -- Reformatted code with Black.

2022-02-07 20:37:05 +01:00

test_validators.py

Refs #36500 -- Rewrapped long docstrings and block comments via a script.

2025-07-23 20:17:55 -03:00

test_views.py

[6.0.x] Fixed #36807 -- Fixed form field alignment under <fieldset> in the admin.

2025-12-22 21:04:35 -05:00

urls_admin.py

Refs #33476 -- Reformatted code with Black.

2022-02-07 20:37:05 +01:00

urls_custom_user_admin.py

Refs #33476 -- Reformatted code with Black.

2022-02-07 20:37:05 +01:00

urls.py

Fixed #31405 -- Added LoginRequiredMiddleware.

2024-05-22 08:51:17 +02:00