Fixed #36572 -- Revert "Fixed #36546 -- Deprecated django.utils.crypto.constant_time_compare() in favor of hmac.compare_digest()."

This reverts commit 0246f47888.
2025-10-27 07:36:08 +00:00 · 2025-08-26 13:37:34 +02:00
parent c594574175
commit d0e4dd5cdd
9 changed files with 28 additions and 48 deletions
--- a/django/contrib/auth/tokens.py
+++ b/django/contrib/auth/tokens.py
@@ -1,8 +1,7 @@
-import hmac
 from datetime import datetime

 from django.conf import settings
-from django.utils.crypto import salted_hmac
+from django.utils.crypto import constant_time_compare, salted_hmac
 from django.utils.http import base36_to_int, int_to_base36


@@ -68,7 +67,7 @@ class PasswordResetTokenGenerator:

        # Check that the timestamp/uid has not been tampered with
        for secret in [self.secret, *self.secret_fallbacks]:
-            if hmac.compare_digest(
+            if constant_time_compare(
                self._make_token_with_timestamp(user, ts, secret),
                token,
            ):