p31829507
/
django
mirror of https://github.com/django/django.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Fixed #26614 -- Used constant_time_compare() in checking session auth hash in login().

This commit is contained in:
Tim Graham 2016-05-13 18:26:10 -04:00
parent 104727030c
commit 094ea69e07
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
django/contrib/auth/__init__.py
View File

@ -100,7 +100,7 @@ def login(request, user, backend=None):
if SESSION_KEY in request.session: if SESSION_KEY in request.session:
if _get_user_session_key(request) != user.pk or ( if _get_user_session_key(request) != user.pk or (
session_auth_hash and session_auth_hash and
request.session.get(HASH_SESSION_KEY) != session_auth_hash): not constant_time_compare(request.session.get(HASH_SESSION_KEY, ''), session_auth_hash)):
# To avoid reusing another user's session, create a new, empty # To avoid reusing another user's session, create a new, empty
# session if the existing session corresponds to a different # session if the existing session corresponds to a different
# authenticated user. # authenticated user.