Opened 8 years ago
Closed 8 years ago
#26614 closed Cleanup/optimization (fixed)
Use constant_time_compare() in checking session auth hash in login()
Reported by: | Alex Gaynor | Owned by: | nobody |
---|---|---|---|
Component: | contrib.auth | Version: | dev |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Accepted | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
django.contrib.auth.login() should use a constant time comparison so that an attacker is unable to gain information about the expected session hash.
The implication seem to be that an attacker might be able to guess the salted hmac of the password, which should be pretty much worthless, and they would also have to guess the session ID, so this is more hardening than a security vulnerability.
Note:
See TracTickets
for help on using tickets.
PR