mirror of https://github.com/django/django.git
Fixed #15627 -- Use constant time comparison for password checks. Thanks to hvdklauw for the report and patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15870 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
parent
7ab5ce6cf1
commit
a0878b5f95
|
@ -10,6 +10,7 @@ from django.contrib.contenttypes.models import ContentType
|
|||
from django.utils.encoding import smart_str
|
||||
from django.utils.hashcompat import md5_constructor, sha_constructor
|
||||
from django.utils.translation import ugettext_lazy as _
|
||||
from django.utils.crypto import constant_time_compare
|
||||
|
||||
|
||||
UNUSABLE_PASSWORD = '!' # This will never be a valid hash
|
||||
|
@ -39,7 +40,7 @@ def check_password(raw_password, enc_password):
|
|||
encryption formats behind the scenes.
|
||||
"""
|
||||
algo, salt, hsh = enc_password.split('$')
|
||||
return hsh == get_hexdigest(algo, salt, raw_password)
|
||||
return constant_time_compare(hsh, get_hexdigest(algo, salt, raw_password))
|
||||
|
||||
def update_last_login(sender, user, **kwargs):
|
||||
"""
|
||||
|
|
Loading…
Reference in New Issue