#26614: Use constant_time_compare() in checking session auth hash in login()
------------------------------------------------+------------------------
Reporter: Alex | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: contrib.auth | Version: master
Severity: Normal | Keywords:
Triage Stage: Accepted | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
------------------------------------------------+------------------------
[https://github.com/django/django/blob/104727030c52a6cd5e85fdcc64dd6cfc906fc241/django/contrib/auth/__init__.py#L103
django.contrib.auth.login()] should use a constant time comparison so that
an attacker is unable to gain information about the expected session hash.
The implication seem to be that an attacker might be able to guess the
salted hmac of the password, which should be pretty much worthless, and
they would also have to guess the session ID, so this is more hardening
than a security vulnerability.
--
Ticket URL: <https://code.djangoproject.com/ticket/26614>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/047.8282018ebce20d235b6f1b86341c770c%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
