Use constant_time_compare for view restriction password checks

2024-11-29 17:36:49 +01:00 · 2020-04-28 14:45:23 +01:00 · 2020-04-28 14:45:23 +01:00 · 6d660b0c27
commit 6d660b0c27
parent 1ef36d0420
1 changed files with 2 additions and 1 deletions
--- a/wagtail/core/forms.py
+++ b/wagtail/core/forms.py
@ -1,4 +1,5 @@
 from django import forms
+from django.utils.crypto import constant_time_compare
 from django.utils.translation import gettext as _
 from django.utils.translation import gettext_lazy

@ -13,7 +14,7 @@ class PasswordViewRestrictionForm(forms.Form):

    def clean_password(self):
        data = self.cleaned_data['password']
-        if data != self.restriction.password:
+        if not constant_time_compare(data, self.restriction.password):
            raise forms.ValidationError(_("The password you have entered is not correct. Please try again."))

        return data