diff options
| author | Alex Gaynor <alex.gaynor@gmail.com> | 2016-10-02 21:20:13 -0400 |
|---|---|---|
| committer | Paul Kehrer <paul.l.kehrer@gmail.com> | 2016-10-02 20:20:13 -0500 |
| commit | fcebaa0db74dc822877128e57a79dcfda2a2dc4f (patch) | |
| tree | 24c40c116bb945ad671990bc0965d70c82202509 /src/bcrypt | |
| parent | e977a1deea4712897f1cdae9ee682fef0e8fd1ce (diff) | |
| download | py-bcrypt-git-fcebaa0db74dc822877128e57a79dcfda2a2dc4f.tar.gz | |
Correctly handle invalid hashed passwords in bcrypt.checkpw. (#95)
Previously it would silently accept extra data, and overread a buffer on truncated data.
Reported by Matthew Russell
Diffstat (limited to 'src/bcrypt')
| -rw-r--r-- | src/bcrypt/__init__.py | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/src/bcrypt/__init__.py b/src/bcrypt/__init__.py index cd779a6..301ccb6 100644 --- a/src/bcrypt/__init__.py +++ b/src/bcrypt/__init__.py @@ -106,6 +106,9 @@ def checkpw(password, hashed_password): ret = hashpw(password, hashed_password) + if len(ret) != len(hashed_password): + return False + return _bcrypt.lib.timingsafe_bcmp(ret, hashed_password, len(ret)) == 0 |