diff --git a/django/contrib/auth/hashers.py b/django/contrib/auth/hashers.py index 092cccedde..2e0fb0a034 100644 --- a/django/contrib/auth/hashers.py +++ b/django/contrib/auth/hashers.py @@ -9,7 +9,7 @@ from django.conf import settings from django.test.signals import setting_changed from django.utils import importlib from django.utils.datastructures import SortedDict -from django.utils.encoding import force_bytes, force_str +from django.utils.encoding import force_bytes, force_str, force_text from django.core.exceptions import ImproperlyConfigured from django.utils.crypto import ( pbkdf2, constant_time_compare, get_random_string) @@ -291,7 +291,7 @@ class BCryptSHA256PasswordHasher(BasePasswordHasher): password = force_bytes(password) data = bcrypt.hashpw(password, salt) - return "%s$%s" % (self.algorithm, data) + return "%s$%s" % (self.algorithm, force_text(data)) def verify(self, password, encoded): algorithm, data = encoded.split('$', 1) @@ -307,6 +307,9 @@ class BCryptSHA256PasswordHasher(BasePasswordHasher): else: password = force_bytes(password) + # Ensure that our data is a bytestring + data = force_bytes(data) + return constant_time_compare(data, bcrypt.hashpw(password, data)) def safe_summary(self, encoded):