Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Clarified that constant_time_compare doesn't protect string lengths.

  • Loading branch information...
commit 7cf0f04230b1b6dd2680548338fe584c0ad3f85a 1 parent 20a91cc
Aymeric Augustin authored March 17, 2013

Showing 1 changed file with 5 additions and 0 deletions. Show diff stats Hide diff stats

  1. 5  django/utils/crypto.py
5  django/utils/crypto.py
@@ -85,6 +85,11 @@ def constant_time_compare(val1, val2):
85 85
     Returns True if the two strings are equal, False otherwise.
86 86
 
87 87
     The time taken is independent of the number of characters that match.
  88
+
  89
+    For the sake of simplicity, this function executes in constant time only
  90
+    when the two strings have the same length. It short-circuits when they
  91
+    have different lengths. Since Django only uses it to compare hashes of
  92
+    known expected length, this is acceptable.
88 93
     """
89 94
     if len(val1) != len(val2):
90 95
         return False

0 notes on commit 7cf0f04

Please sign in to comment.
Something went wrong with that request. Please try again.