Fixed #36572 -- Revert "Fixed #36546 -- Deprecated django.utils.crypto.constant_time_compare() in favor of hmac.compare_digest()."

This reverts commit 0246f478882c26bc1fe293224653074cd46a90d0.
author: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> 2025-08-26 13:37:34 +0200
committer: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> 2025-08-27 10:50:50 +0200
commit: d0e4dd5cdd743a5c43c4ccc2c8fa29d3982eaa71 (patch)
tree: ed64921a0f27e8df1b5ce69b729d34dfbfc9d815 /django/core
parent: c594574175e379fff356e274893d797f6e6a95fa (diff)
1 files changed, 2 insertions, 3 deletions
diff --git a/django/core/signing.py b/django/core/signing.py
index 222710efee..ed56ce0908 100644
--- a/django/core/signing.py
+++ b/django/core/signing.py
@@ -36,13 +36,12 @@ These functions make use of all of them.
 
 import base64
 import datetime
-import hmac
 import json
 import time
 import zlib
 
 from django.conf import settings
-from django.utils.crypto import salted_hmac
+from django.utils.crypto import constant_time_compare, salted_hmac
 from django.utils.encoding import force_bytes
 from django.utils.module_loading import import_string
 from django.utils.regex_helper import _lazy_re_compile
@@ -210,7 +209,7 @@ class Signer:
             raise BadSignature('No "%s" found in value' % self.sep)
         value, sig = signed_value.rsplit(self.sep, 1)
         for key in [self.key, *self.fallback_keys]:
-            if hmac.compare_digest(sig, self.signature(value, key)):
+            if constant_time_compare(sig, self.signature(value, key)):
                 return value
         raise BadSignature('Signature "%s" does not match' % sig)
author	Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>	2025-08-26 13:37:34 +0200
committer	Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>	2025-08-27 10:50:50 +0200
commit	d0e4dd5cdd743a5c43c4ccc2c8fa29d3982eaa71 (patch)
tree	ed64921a0f27e8df1b5ce69b729d34dfbfc9d815 /django/core
parent	c594574175e379fff356e274893d797f6e6a95fa (diff)