使用 compare_digest 抵御时差攻击

2025-07-18 00:59:05 +08:00
parent 4148e362b9
commit bf3b0e5f7e
1 changed files with 1 additions and 1 deletions
--- a/pkg/password/pwd.py
+++ b/pkg/password/pwd.py
@@ -56,4 +56,4 @@ class Password:
                                      100000)
        pwdhash = binascii.hexlify(pwdhash).decode('ascii')
        
-        return pwdhash == stored_password
+        return secrets.compare_digest(pwdhash, stored_password)