Code

Ticket #20760: 20760_fix.diff

File 20760_fix.diff, 861 bytes (added by jpaglier@…, 12 months ago)

patch to fix timing attack

Line 
1diff --git a/django/contrib/auth/backends.py b/django/contrib/auth/backends.py
2index 6b31f72..d61c6b0 100644
3--- a/django/contrib/auth/backends.py
4+++ b/django/contrib/auth/backends.py
5@@ -10,6 +10,10 @@ class ModelBackend(object):
6 
7     def authenticate(self, username=None, password=None, **kwargs):
8         UserModel = get_user_model()
9+
10+        user = UserModel()
11+        user.set_password("if user doesn't exist we still want to be slow")
12+
13         if username is None:
14             username = kwargs.get(UserModel.USERNAME_FIELD)
15         try:
16@@ -17,6 +21,7 @@ class ModelBackend(object):
17             if user.check_password(password):
18                 return user
19         except UserModel.DoesNotExist:
20+            user.check_password("this won't match that!")
21             return None
22 
23     def get_group_permissions(self, user_obj, obj=None):