summaryrefslogtreecommitdiff
path: root/django
diff options
context:
space:
mode:
authorMichael Manfre <mike@manfre.net>2024-06-14 22:12:58 -0400
committerNatalia <124304+nessita@users.noreply.github.com>2024-07-09 09:42:29 -0300
commitf5d16483f3abfd33e301fb5c2005b80bd6d05aaf (patch)
tree26eeffdb4c893acc55d8c91a36e100b24d6dae9d /django
parent44aef996c8d723198e89ca834cb1d746e2e72d77 (diff)
[5.1.x] Fixed CVE-2024-39329 -- Standarized timing of verify_password() when checking unusuable passwords.
Refs #20760. Thanks Michael Manfre for the fix and to Adam Johnson for the review.
Diffstat (limited to 'django')
-rw-r--r--django/contrib/auth/hashers.py10
1 files changed, 8 insertions, 2 deletions
diff --git a/django/contrib/auth/hashers.py b/django/contrib/auth/hashers.py
index b539747561..4c22c20795 100644
--- a/django/contrib/auth/hashers.py
+++ b/django/contrib/auth/hashers.py
@@ -39,14 +39,20 @@ def verify_password(password, encoded, preferred="default"):
three part encoded digest, and the second whether to regenerate the
password.
"""
- if password is None or not is_password_usable(encoded):
- return False, False
+ fake_runtime = password is None or not is_password_usable(encoded)
preferred = get_hasher(preferred)
try:
hasher = identify_hasher(encoded)
except ValueError:
# encoded is gibberish or uses a hasher that's no longer installed.
+ fake_runtime = True
+
+ if fake_runtime:
+ # Run the default password hasher once to reduce the timing difference
+ # between an existing user with an unusable password and a nonexistent
+ # user or missing hasher (similar to #20760).
+ make_password(get_random_string(UNUSABLE_PASSWORD_SUFFIX_LENGTH))
return False, False
hasher_changed = hasher.algorithm != preferred.algorithm