diff --git a/django/utils/crypto.py b/django/utils/crypto.py index 94f717bb17..5d0f381ffa 100644 --- a/django/utils/crypto.py +++ b/django/utils/crypto.py @@ -85,6 +85,11 @@ def constant_time_compare(val1, val2): Returns True if the two strings are equal, False otherwise. The time taken is independent of the number of characters that match. + + For the sake of simplicity, this function executes in constant time only + when the two strings have the same length. It short-circuits when they + have different lengths. Since Django only uses it to compare hashes of + known expected length, this is acceptable. """ if len(val1) != len(val2): return False