Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Fixed #15627 -- Use constant time comparison for password checks. Tha…

…nks to hvdklauw for the report and patch.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@15870 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit a0878b5f95b5fc5bac02d818e864cab507b73564 1 parent 7ab5ce6
Russell Keith-Magee authored

Showing 1 changed file with 2 additions and 1 deletion. Show diff stats Hide diff stats

  1. 3  django/contrib/auth/models.py
3  django/contrib/auth/models.py
@@ -10,6 +10,7 @@
10 10
 from django.utils.encoding import smart_str
11 11
 from django.utils.hashcompat import md5_constructor, sha_constructor
12 12
 from django.utils.translation import ugettext_lazy as _
  13
+from django.utils.crypto import constant_time_compare
13 14
 
14 15
 
15 16
 UNUSABLE_PASSWORD = '!' # This will never be a valid hash
@@ -39,7 +40,7 @@ def check_password(raw_password, enc_password):
39 40
     encryption formats behind the scenes.
40 41
     """
41 42
     algo, salt, hsh = enc_password.split('$')
42  
-    return hsh == get_hexdigest(algo, salt, raw_password)
  43
+    return constant_time_compare(hsh, get_hexdigest(algo, salt, raw_password))
43 44
 
44 45
 def update_last_login(sender, user, **kwargs):
45 46
     """

0 notes on commit a0878b5

Please sign in to comment.
Something went wrong with that request. Please try again.