check_password should use constant_time_compare instead of == to check passwords
|Reported by:||Harro||Owned by:||nobody|
|Cc:||Triage Stage:||Ready for checkin|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
I just noticed django doesn't use the constant_time_compare function in the check_password function in contrib.auth.models.
I'll add a patch that changes it, would be nice to have this little bit extra security in the 1.3 release.
Change History (6)
comment:1 Changed 6 years ago by
|Patch needs improvement:||unset|
|Triage Stage:||Unreviewed → Ready for checkin|