From 7cf0f04230b1b6dd2680548338fe584c0ad3f85a Mon Sep 17 00:00:00 2001 From: Aymeric Augustin Date: Sun, 17 Mar 2013 22:14:14 +0100 Subject: [PATCH] Clarified that constant_time_compare doesn't protect string lengths. --- django/utils/crypto.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/django/utils/crypto.py b/django/utils/crypto.py index 94f717bb17..5d0f381ffa 100644 --- a/django/utils/crypto.py +++ b/django/utils/crypto.py @@ -85,6 +85,11 @@ def constant_time_compare(val1, val2): Returns True if the two strings are equal, False otherwise. The time taken is independent of the number of characters that match. + + For the sake of simplicity, this function executes in constant time only + when the two strings have the same length. It short-circuits when they + have different lengths. Since Django only uses it to compare hashes of + known expected length, this is acceptable. """ if len(val1) != len(val2): return False