Use constant_time_compare for view restriction password checks

wagtail · May 4, 2020 · 3c03049 · 3c03049
1 parent baa4acc
commit 3c03049
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/wagtail/core/forms.py b/wagtail/core/forms.py
@@ -1,4 +1,5 @@
 from django import forms
+from django.utils.crypto import constant_time_compare
 from django.utils.translation import ugettext as _
 from django.utils.translation import ugettext_lazy
 
@@ -13,7 +14,7 @@ def __init__(self, *args, **kwargs):
 
     def clean_password(self):
         data = self.cleaned_data['password']
-        if data != self.restriction.password:
+        if not constant_time_compare(data, self.restriction.password):
             raise forms.ValidationError(_("The password you have entered is not correct. Please try again."))
 
         return data