check_password should use constant_time_compare instead of == to check passwords
|Reported by:||hvdklauw||Owned by:||nobody|
|Cc:||Triage Stage:||Ready for checkin|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
I just noticed django doesn't use the constant_time_compare function in the check_password function in contrib.auth.models.
I'll add a patch that changes it, would be nice to have this little bit extra security in the 1.3 release.
Change History (6)
Changed 5 years ago by hvdklauw
comment:1 Changed 5 years ago by russellm
- Needs documentation unset
- Needs tests unset
- Patch needs improvement unset
- Triage Stage changed from Unreviewed to Ready for checkin