Skip to content

Commit

Permalink
Fixed #15627 -- Use constant time comparison for password checks. Tha…
Browse files Browse the repository at this point in the history 
…nks to hvdklauw for the report and patch.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@15870 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information
@freakboy3742
freakboy3742 committed Mar 17, 2011
1 parent 7ab5ce6 commit a0878b5
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion django/contrib/auth/models.py
View file
Expand Up @@ -10,6 +10,7 @@
from django.utils.encoding import smart_str from django.utils.encoding import smart_str
from django.utils.hashcompat import md5_constructor, sha_constructor from django.utils.hashcompat import md5_constructor, sha_constructor
from django.utils.translation import ugettext_lazy as _ from django.utils.translation import ugettext_lazy as _
from django.utils.crypto import constant_time_compare




UNUSABLE_PASSWORD = '!' # This will never be a valid hash UNUSABLE_PASSWORD = '!' # This will never be a valid hash
Expand Down Expand Up @@ -39,7 +40,7 @@ def check_password(raw_password, enc_password):
encryption formats behind the scenes. encryption formats behind the scenes.
""" """
algo, salt, hsh = enc_password.split('$') algo, salt, hsh = enc_password.split('$')
return hsh == get_hexdigest(algo, salt, raw_password) return constant_time_compare(hsh, get_hexdigest(algo, salt, raw_password))


def update_last_login(sender, user, **kwargs): def update_last_login(sender, user, **kwargs):
""" """
Expand Down

0 comments on commit a0878b5

Please sign in to comment.