From a0878b5f95b5fc5bac02d818e864cab507b73564 Mon Sep 17 00:00:00 2001 From: Russell Keith-Magee Date: Thu, 17 Mar 2011 11:51:07 +0000 Subject: [PATCH] Fixed #15627 -- Use constant time comparison for password checks. Thanks to hvdklauw for the report and patch. git-svn-id: http://code.djangoproject.com/svn/django/trunk@15870 bcc190cf-cafb-0310-a4f2-bffc1f526a37 --- django/contrib/auth/models.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/django/contrib/auth/models.py b/django/contrib/auth/models.py index ec3af633bdb..8fcbdef6e8e 100644 --- a/django/contrib/auth/models.py +++ b/django/contrib/auth/models.py @@ -10,6 +10,7 @@ from django.contrib.contenttypes.models import ContentType from django.utils.encoding import smart_str from django.utils.hashcompat import md5_constructor, sha_constructor from django.utils.translation import ugettext_lazy as _ +from django.utils.crypto import constant_time_compare UNUSABLE_PASSWORD = '!' # This will never be a valid hash @@ -39,7 +40,7 @@ def check_password(raw_password, enc_password): encryption formats behind the scenes. """ algo, salt, hsh = enc_password.split('$') - return hsh == get_hexdigest(algo, salt, raw_password) + return constant_time_compare(hsh, get_hexdigest(algo, salt, raw_password)) def update_last_login(sender, user, **kwargs): """