diff options
| author | Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> | 2025-08-26 13:37:34 +0200 |
|---|---|---|
| committer | Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> | 2025-08-27 10:50:50 +0200 |
| commit | d0e4dd5cdd743a5c43c4ccc2c8fa29d3982eaa71 (patch) | |
| tree | ed64921a0f27e8df1b5ce69b729d34dfbfc9d815 /django/middleware | |
| parent | c594574175e379fff356e274893d797f6e6a95fa (diff) | |
Fixed #36572 -- Revert "Fixed #36546 -- Deprecated django.utils.crypto.constant_time_compare() in favor of hmac.compare_digest()."
This reverts commit 0246f478882c26bc1fe293224653074cd46a90d0.
Diffstat (limited to 'django/middleware')
| -rw-r--r-- | django/middleware/csrf.py | 5 |
1 files changed, 2 insertions, 3 deletions
diff --git a/django/middleware/csrf.py b/django/middleware/csrf.py index 113db56196..c2800cfad4 100644 --- a/django/middleware/csrf.py +++ b/django/middleware/csrf.py @@ -5,7 +5,6 @@ This module provides a middleware that implements protection against request forgeries from other sites. """ -import hmac import logging import string from collections import defaultdict @@ -16,7 +15,7 @@ from django.core.exceptions import DisallowedHost, ImproperlyConfigured from django.http import HttpHeaders, UnreadablePostError from django.urls import get_callable from django.utils.cache import patch_vary_headers -from django.utils.crypto import get_random_string +from django.utils.crypto import constant_time_compare, get_random_string from django.utils.deprecation import MiddlewareMixin from django.utils.functional import cached_property from django.utils.http import is_same_domain @@ -155,7 +154,7 @@ def _does_token_match(request_csrf_token, csrf_secret): if len(request_csrf_token) == CSRF_TOKEN_LENGTH: request_csrf_token = _unmask_cipher_token(request_csrf_token) assert len(request_csrf_token) == CSRF_SECRET_LENGTH - return hmac.compare_digest(request_csrf_token, csrf_secret) + return constant_time_compare(request_csrf_token, csrf_secret) class RejectRequest(Exception): |