mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-11-07 07:15:35 +00:00
Code Issues 32 Releases Wiki Activity

[1.6.x] Ensure that passwords are never long enough for a DoS.

Browse Source 
* Limit the password length to 4096 bytes
  * Password hashers will raise a ValueError
  * django.contrib.auth forms will fail validation
 * Document in release notes that this is a backwards incompatible change

Thanks to Josh Wright for the report, and Donald Stufft for the patch.

This is a security fix; disclosure to follow shortly.

Backport of aae5a96d57 from master.
This commit is contained in:
Russell Keith-Magee
2013-09-15 13:46:16 +08:00
parent 4c4954a3c1
commit 5ecc0f828e
4 changed files with 153 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
docs/releases/1.6.txt
View File

@@ -869,6 +869,14 @@ Miscellaneous
to prevent django from deleting the temporary .pot file it generates before
creating the .po file.
* Passwords longer than 4096 bytes in length will no longer work and will
instead raise a ``ValueError`` when using the hasher directory or the
built in forms shipped with ``django.contrib.auth`` will fail validation.
The rationale behind this is a possibility of a Denial of Service attack when
using a slow password hasher, such as the default PBKDF2, and sending very
large passwords.
Features deprecated in 1.6
==========================