[Django] #26614: Use constant_time_compare() in checking session auth hash in login()

8 views
Skip to first unread message

Django

unread,
May 13, 2016, 4:56:28 PM5/13/16
to django-...@googlegroups.com
#26614: Use constant_time_compare() in checking session auth hash in login()
------------------------------------------------+------------------------
Reporter: Alex | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: contrib.auth | Version: master
Severity: Normal | Keywords:
Triage Stage: Accepted | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
------------------------------------------------+------------------------
[https://github.com/django/django/blob/104727030c52a6cd5e85fdcc64dd6cfc906fc241/django/contrib/auth/__init__.py#L103
django.contrib.auth.login()] should use a constant time comparison so that
an attacker is unable to gain information about the expected session hash.

The implication seem to be that an attacker might be able to guess the
salted hmac of the password, which should be pretty much worthless, and
they would also have to guess the session ID, so this is more hardening
than a security vulnerability.

--
Ticket URL: <https://code.djangoproject.com/ticket/26614>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

Django

unread,
May 13, 2016, 5:05:32 PM5/13/16
to django-...@googlegroups.com
#26614: Use constant_time_compare() in checking session auth hash in login()
--------------------------------------+------------------------------------

Reporter: Alex | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: contrib.auth | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------
Changes (by timgraham):

* has_patch: 0 => 1


Comment:

[https://github.com/django/django/pull/6597 PR]

--
Ticket URL: <https://code.djangoproject.com/ticket/26614#comment:1>

Django

unread,
May 13, 2016, 6:26:28 PM5/13/16
to django-...@googlegroups.com
#26614: Use constant_time_compare() in checking session auth hash in login()
--------------------------------------+------------------------------------
Reporter: Alex | Owner: nobody
Type: Cleanup/optimization | Status: closed
Component: contrib.auth | Version: master
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------
Changes (by Tim Graham <timograham@…>):

* status: new => closed
* resolution: => fixed


Comment:

In [changeset:"094ea69e072779661d36e46a6caec0fea4b3ca16" 094ea69]:
{{{
#!CommitTicketReference repository=""
revision="094ea69e072779661d36e46a6caec0fea4b3ca16"
Fixed #26614 -- Used constant_time_compare() in checking session auth hash
in login().
}}}

--
Ticket URL: <https://code.djangoproject.com/ticket/26614#comment:2>

Reply all
Reply to author
Forward
0 new messages