diff options
| author | Michael Manfre <mike@manfre.net> | 2024-06-14 22:12:58 -0400 |
|---|---|---|
| committer | Natalia <124304+nessita@users.noreply.github.com> | 2024-07-09 09:42:29 -0300 |
| commit | f5d16483f3abfd33e301fb5c2005b80bd6d05aaf (patch) | |
| tree | 26eeffdb4c893acc55d8c91a36e100b24d6dae9d /django | |
| parent | 44aef996c8d723198e89ca834cb1d746e2e72d77 (diff) | |
[5.1.x] Fixed CVE-2024-39329 -- Standarized timing of verify_password() when checking unusuable passwords.
Refs #20760.
Thanks Michael Manfre for the fix and to Adam Johnson for the review.
Diffstat (limited to 'django')
| -rw-r--r-- | django/contrib/auth/hashers.py | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/django/contrib/auth/hashers.py b/django/contrib/auth/hashers.py index b539747561..4c22c20795 100644 --- a/django/contrib/auth/hashers.py +++ b/django/contrib/auth/hashers.py @@ -39,14 +39,20 @@ def verify_password(password, encoded, preferred="default"): three part encoded digest, and the second whether to regenerate the password. """ - if password is None or not is_password_usable(encoded): - return False, False + fake_runtime = password is None or not is_password_usable(encoded) preferred = get_hasher(preferred) try: hasher = identify_hasher(encoded) except ValueError: # encoded is gibberish or uses a hasher that's no longer installed. + fake_runtime = True + + if fake_runtime: + # Run the default password hasher once to reduce the timing difference + # between an existing user with an unusable password and a nonexistent + # user or missing hasher (similar to #20760). + make_password(get_random_string(UNUSABLE_PASSWORD_SUFFIX_LENGTH)) return False, False hasher_changed = hasher.algorithm != preferred.algorithm |
