From 6d660b0c27029817bc20406454ba565d09cfa31d Mon Sep 17 00:00:00 2001
From: Matt Westcott <matt@west.co.tt>
Date: Tue, 28 Apr 2020 14:45:23 +0100
Subject: [PATCH] Use constant_time_compare for view restriction password
 checks

---
 wagtail/core/forms.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/wagtail/core/forms.py b/wagtail/core/forms.py
index 0a5ad8a8e2..37394c361b 100644
--- a/wagtail/core/forms.py
+++ b/wagtail/core/forms.py
@@ -1,4 +1,5 @@
 from django import forms
+from django.utils.crypto import constant_time_compare
 from django.utils.translation import gettext as _
 from django.utils.translation import gettext_lazy
 
@@ -13,7 +14,7 @@ class PasswordViewRestrictionForm(forms.Form):
 
     def clean_password(self):
         data = self.cleaned_data['password']
-        if data != self.restriction.password:
+        if not constant_time_compare(data, self.restriction.password):
             raise forms.ValidationError(_("The password you have entered is not correct. Please try again."))
 
         return data