Opened 9 years ago

Closed 9 years ago

#26614 closed Cleanup/optimization (fixed)

Use constant_time_compare() in checking session auth hash in login()

Reported by: Alex Gaynor Owned by: nobody
Component: contrib.auth Version: dev
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

django.contrib.auth.login() should use a constant time comparison so that an attacker is unable to gain information about the expected session hash.

The implication seem to be that an attacker might be able to guess the salted hmac of the password, which should be pretty much worthless, and they would also have to guess the session ID, so this is more hardening than a security vulnerability.

Change History (2)

comment:1 by Tim Graham, 9 years ago

Has patch: set

comment:2 by Tim Graham <timograham@…>, 9 years ago

Resolution: fixed
Status: newclosed

In 094ea69:

Fixed #26614 -- Used constant_time_compare() in checking session auth hash in login().

Note: See TracTickets for help on using tickets.
Back to Top