Fixed #15627 -- Use constant time comparison for password checks. Thanks to hvdklauw for the report and patch.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@15870 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Russell Keith-Magee 2011-03-17 11:51:07 +00:00
parent 7ab5ce6cf1
commit a0878b5f95
1 changed files with 2 additions and 1 deletions

View File

@ -10,6 +10,7 @@ from django.contrib.contenttypes.models import ContentType
from django.utils.encoding import smart_str from django.utils.encoding import smart_str
from django.utils.hashcompat import md5_constructor, sha_constructor from django.utils.hashcompat import md5_constructor, sha_constructor
from django.utils.translation import ugettext_lazy as _ from django.utils.translation import ugettext_lazy as _
from django.utils.crypto import constant_time_compare
UNUSABLE_PASSWORD = '!' # This will never be a valid hash UNUSABLE_PASSWORD = '!' # This will never be a valid hash
@ -39,7 +40,7 @@ def check_password(raw_password, enc_password):
encryption formats behind the scenes. encryption formats behind the scenes.
""" """
algo, salt, hsh = enc_password.split('$') algo, salt, hsh = enc_password.split('$')
return hsh == get_hexdigest(algo, salt, raw_password) return constant_time_compare(hsh, get_hexdigest(algo, salt, raw_password))
def update_last_login(sender, user, **kwargs): def update_last_login(sender, user, **kwargs):
""" """