Fixed MD5 check: "blank salt" doesn't mean "unsalted"

Racum · Racum · commit d6634417fcdb · 2016-09-18T15:48:44.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,13 @@
 All notable changes to this project will be documented in this file.
 This project adheres to [Semantic Versioning](http://semver.org/).
 
+## [0.2.4] - 2016-09-18
+
+### Changed
+
+- Fixed MD5 check: "blank salt" doesn't mean "unsalted".
+
+
 ## [0.2.3] - 2016-09-18
 
 ### Changed
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "djangohashers"
-version = "0.2.3"
+version = "0.2.4"
 authors = ["Ronaldo Racum <ronaldo@racum.com>"]
 license = "BSD-3-Clause"
 readme = "README.md"
diff --git a/README.md b/README.md
@@ -14,7 +14,7 @@ Add the dependency to your `Cargo.toml`:
 
 ```toml
 [dependencies]
-djangohashers = "0.2.3"
+djangohashers = "0.2.4"
 ```
 
 Reference and import:
@@ -39,7 +39,7 @@ Add the dependency to your `Cargo.toml` declaring the feature:
 
 ```toml
 [dependencies.djangohashers]
-version = "0.2.3"
+version = "0.2.4"
 features = ["fpbkdf2"]
 ```
 
@@ -178,6 +178,8 @@ let encoded = make_password_with_settings("KRONOS", "seasalt", Algorithm::PBKDF2
 // pbkdf2_sha1$24000$seasalt$F+kiWNHXbMBcwgxsvSKFCWHnZZ0=
 ```
 
+**Warning**: `make_password_with_settings` and `make_password_core` will both panic if salt is not only letters and numbers (`^[A-Za-z0-9]*$`).
+
 ### Generating a Hashed Password based on a Django version
 
 > New in `0.2.1`.
diff --git a/src/lib.rs b/src/lib.rs
@@ -43,8 +43,7 @@ pub enum Algorithm {
 
 // Parses an encoded hash in order to detect the algorithm, returns it in an Option.
 fn identify_hasher(encoded: &str) -> Option<Algorithm> {
-    if (encoded.len() == 32 && !encoded.contains("$")) ||
-       (encoded.len() == 37 && encoded.starts_with("md5$$")) {
+    if encoded.len() == 32 && !encoded.contains("$") {
         Some(Algorithm::UnsaltedMD5)
     } else if encoded.len() == 46 && encoded.starts_with("sha1$$") {
         Some(Algorithm::UnsaltedSHA1)
@@ -226,7 +225,7 @@ fn test_identify_hasher() {
     assert!(identify_hasher("7cf6409a82cd4c8b96a9ecf6ad679119")
                 .unwrap() == Algorithm::UnsaltedMD5);
     assert!(identify_hasher("md5$$7cf6409a82cd4c8b96a9ecf6ad679119")
-                .unwrap() ==Algorithm::UnsaltedMD5);
+                .unwrap() == Algorithm::MD5);
     assert!(identify_hasher("sha1$$22e6217f026c7a395f0840c1ffbdb163072419e7")
                 .unwrap() == Algorithm::UnsaltedSHA1);
     assert!(identify_hasher("bcrypt_sha256$$2b$12$LZSJchsWG/DrBy1erNs4eeYo6tZNlLFQmONdxN9HPesa1EyXVcTXK")
