Merge pull request #86 from James1345/develop

3.1.1 release
jazzband · Jan 25, 2018 · 1cacfda · 1cacfda
2 parents e2c5958 + a79bb79
commit 1cacfda
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 2 deletions.
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -1,3 +1,8 @@
+######
+3.1.1
+######
+- use hmac.compare_digest instead of == for comparing hashes for more security
+
 ######
 3.1.0
 ######

diff --git a/docs/changes.md b/docs/changes.md
@@ -1,5 +1,8 @@
 #Changelog
 
+## 3.1.1
+- use hmac.compare_digest instead of == for comparing hashes for more security
+
 ## 3.1.0
 - drop Django 1.8 support as djangorestframework did so too in v.3.7.0
 - build rest-knox on Django 1.11 and 2.0

diff --git a/knox/auth.py b/knox/auth.py
@@ -1,3 +1,5 @@
+from hmac import compare_digest
+
 from django.conf import settings
 from django.utils.translation import ugettext_lazy as _
 from django.utils import timezone
@@ -68,7 +70,7 @@ def authenticate_credentials(self, token):
                 digest = hash_token(token, auth_token.salt)
             except TypeError:
                 raise exceptions.AuthenticationFailed(msg)
-            if digest == auth_token.digest:
+            if compare_digest(digest, auth_token.digest):
                 return self.validate_user(auth_token)
         # Authentication with this token has failed
         raise exceptions.AuthenticationFailed(msg)

diff --git a/setup.py b/setup.py
@@ -16,7 +16,7 @@
     # Versions should comply with PEP440.  For a discussion on single-sourcing
     # the version across setup.py and the project code, see
     # https://packaging.python.org/en/latest/single_source_version.html
-    version='3.1.0',
+    version='3.1.1',
     description='Authentication for django rest framework',
     long_description=long_description,
-Original file line number
+Diff line change
@@ -1,3 +1,8 @@
+    ######
+.1.1
+    ######
+    - use hmac.compare_digest instead of == for comparing hashes for more security
     ######
 .1.0
     ######
@@ Expand Down @@