mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-27 23:56:08 +00:00
Code Issues 32 Releases Wiki Activity

Fixed #36546 -- Deprecated django.utils.crypto.constant_time_compare() in favor of hmac.compare_digest().

Browse Source 
Signed-off-by: SaJH <wogur981208@gmail.com>
This commit is contained in:
SaJH
2025-08-22 15:32:09 +02:00
committed by Sarah Boyce
parent 3ba24c18e7
commit 0246f47888
9 changed files with 48 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
django/contrib/auth/tokens.py
View File

@@ -1,7 +1,8 @@
import hmac
from datetime import datetime
from django.conf import settings
from django.utils.crypto import constant_time_compare, salted_hmac
from django.utils.crypto import salted_hmac
from django.utils.http import base36_to_int, int_to_base36
@@ -67,7 +68,7 @@ class PasswordResetTokenGenerator:
# Check that the timestamp/uid has not been tampered with
for secret in [self.secret, *self.secret_fallbacks]:
if constant_time_compare(
if hmac.compare_digest(
self._make_token_with_timestamp(user, ts, secret),
token,
):