[5.0.x] Fixed CVE-2024-39329 -- Standarized timing of verify_password() when checking unusuable passwords.

Refs #20760. Thanks Michael Manfre for the fix and to Adam Johnson for the review.
author: Michael Manfre <mike@manfre.net> 2024-06-14 22:12:58 -0400
committer: Natalia <124304+nessita@users.noreply.github.com> 2024-07-09 10:03:20 -0300
commit: 07cefdee4a9d1fcd9a3a631cbd07c78defd1923b (patch)
tree: 34e5c5f44608fdcffd4c6ed0a6dbce944da7bf42 /django
parent: 7285644640f085f41d60ab0c8ae4e9153f0485db (diff)
1 files changed, 8 insertions, 2 deletions
diff --git a/django/contrib/auth/hashers.py b/django/contrib/auth/hashers.py
index b63904cd75..32abcf7fbe 100644
--- a/django/contrib/auth/hashers.py
+++ b/django/contrib/auth/hashers.py
@@ -40,14 +40,20 @@ def verify_password(password, encoded, preferred="default"):
     three part encoded digest, and the second whether to regenerate the
     password.
     """
-    if password is None or not is_password_usable(encoded):
-        return False, False
+    fake_runtime = password is None or not is_password_usable(encoded)
 
     preferred = get_hasher(preferred)
     try:
         hasher = identify_hasher(encoded)
     except ValueError:
         # encoded is gibberish or uses a hasher that's no longer installed.
+        fake_runtime = True
+
+    if fake_runtime:
+        # Run the default password hasher once to reduce the timing difference
+        # between an existing user with an unusable password and a nonexistent
+        # user or missing hasher (similar to #20760).
+        make_password(get_random_string(UNUSABLE_PASSWORD_SUFFIX_LENGTH))
         return False, False
 
     hasher_changed = hasher.algorithm != preferred.algorithm
author	Michael Manfre <mike@manfre.net>	2024-06-14 22:12:58 -0400
committer	Natalia <124304+nessita@users.noreply.github.com>	2024-07-09 10:03:20 -0300
commit	07cefdee4a9d1fcd9a3a631cbd07c78defd1923b (patch)
tree	34e5c5f44608fdcffd4c6ed0a6dbce944da7bf42 /django
parent	7285644640f085f41d60ab0c8ae4e9153f0485db (diff)