Commit a0878b5f authored by Russell Keith-Magee's avatar Russell Keith-Magee
Browse files

Fixed #15627 -- Use constant time comparison for password checks. Thanks to... 

Fixed #15627 -- Use constant time comparison for password checks. Thanks to hvdklauw for the report and patch.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@15870 bcc190cf-cafb-0310-a4f2-bffc1f526a37
parent 7ab5ce6c

django/contrib/auth/models.py

+2 −1
Original line number Diff line number Diff line
@@ -10,6 +10,7 @@ from django.contrib.contenttypes.models import ContentType 
from django.utils.encoding import smart_str

from django.utils.hashcompat import md5_constructor, sha_constructor

from django.utils.translation import ugettext_lazy as _

from django.utils.crypto import constant_time_compare





UNUSABLE_PASSWORD = '!' # This will never be a valid hash
@@ -39,7 +40,7 @@ def check_password(raw_password, enc_password): 
    encryption formats behind the scenes.

    """

    algo, salt, hsh = enc_password.split('$')

    return hsh == get_hexdigest(algo, salt, raw_password)

    return constant_time_compare(hsh, get_hexdigest(algo, salt, raw_password))



def update_last_login(sender, user, **kwargs):

    """