diff options
Diffstat (limited to 'django/contrib/auth/handlers/modwsgi.py')
| -rw-r--r-- | django/contrib/auth/handlers/modwsgi.py | 12 |
1 files changed, 2 insertions, 10 deletions
diff --git a/django/contrib/auth/handlers/modwsgi.py b/django/contrib/auth/handlers/modwsgi.py index 086db89fc8..e19de0baff 100644 --- a/django/contrib/auth/handlers/modwsgi.py +++ b/django/contrib/auth/handlers/modwsgi.py @@ -8,8 +8,7 @@ def _get_user(username): """ Return the UserModel instance for `username`. - If no matching user exists, or if the user is inactive, return None, in - which case the default password hasher is run to mitigate timing attacks. + If no matching user exists, or if the user is inactive, return None. """ try: user = UserModel._default_manager.get_by_natural_key(username) @@ -18,12 +17,6 @@ def _get_user(username): else: if not user.is_active: user = None - - if user is None: - # Run the default password hasher once to reduce the timing difference - # between existing/active and nonexistent/inactive users (#20760). - UserModel().set_password("") - return user @@ -43,8 +36,7 @@ def check_password(environ, username, password): db.reset_queries() try: user = _get_user(username) - if user: - return user.check_password(password) + return auth.check_password_with_timing_attack_mitigation(user, password) finally: db.close_old_connections() |