Ticket #20760: 20760_fix.diff

File 20760_fix.diff, 861 bytes (added by jpaglier@…, 2 years ago)

patch to fix timing attack

  • django/contrib/auth/backends.py

    diff --git a/django/contrib/auth/backends.py b/django/contrib/auth/backends.py
    index 6b31f72..d61c6b0 100644
    a b class ModelBackend(object): 
    1010
    1111    def authenticate(self, username=None, password=None, **kwargs):
    1212        UserModel = get_user_model()
     13
     14        user = UserModel()
     15        user.set_password("if user doesn't exist we still want to be slow")
     16
    1317        if username is None:
    1418            username = kwargs.get(UserModel.USERNAME_FIELD)
    1519        try:
    class ModelBackend(object): 
    1721            if user.check_password(password):
    1822                return user
    1923        except UserModel.DoesNotExist:
     24            user.check_password("this won't match that!")
    2025            return None
    2126
    2227    def get_group_permissions(self, user_obj, obj=None):
Back to Top