Clarified that constant_time_compare doesn't protect string lengths.

This commit is contained in:
Aymeric Augustin 2013-03-17 22:14:14 +01:00
parent 20a91cce04
commit 7cf0f04230
1 changed files with 5 additions and 0 deletions

View File

@ -85,6 +85,11 @@ def constant_time_compare(val1, val2):
Returns True if the two strings are equal, False otherwise. Returns True if the two strings are equal, False otherwise.
The time taken is independent of the number of characters that match. The time taken is independent of the number of characters that match.
For the sake of simplicity, this function executes in constant time only
when the two strings have the same length. It short-circuits when they
have different lengths. Since Django only uses it to compare hashes of
known expected length, this is acceptable.
""" """
if len(val1) != len(val2): if len(val1) != len(val2):
return False return False