id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
19687	UnsaltedMD5PasswordHasher throws exception on verify() with md5$$SALT	twig@…	nobody	"After upgrading from v1.2.7 to 1.4.3, users had no way of logging in.

I noticed that the UnsaltedMD5PasswordHasher.verify() was passing the wrong arguments to constant_time_compare(). The arg ""encoded"" includes the algorithm and prefix ""md5$$"", so we need to strip it out first.


Should change:
{{{
return constant_time_compare(encoded, encoded_2
}}}


To:
{{{
return constant_time_compare(encoded[5:], encoded_2)
}}}"	Bug	closed	contrib.auth	1.4	Normal	duplicate	login		Unreviewed	1	0	0	0	1	0