Clarified that constant_time_compare doesn't protect string lengths.
This commit is contained in:
parent
20a91cce04
commit
7cf0f04230
|
@ -85,6 +85,11 @@ def constant_time_compare(val1, val2):
|
||||||
Returns True if the two strings are equal, False otherwise.
|
Returns True if the two strings are equal, False otherwise.
|
||||||
|
|
||||||
The time taken is independent of the number of characters that match.
|
The time taken is independent of the number of characters that match.
|
||||||
|
|
||||||
|
For the sake of simplicity, this function executes in constant time only
|
||||||
|
when the two strings have the same length. It short-circuits when they
|
||||||
|
have different lengths. Since Django only uses it to compare hashes of
|
||||||
|
known expected length, this is acceptable.
|
||||||
"""
|
"""
|
||||||
if len(val1) != len(val2):
|
if len(val1) != len(val2):
|
||||||
return False
|
return False
|
||||||
|
|
Loading…
Reference in New Issue