mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-31 09:41:08 +00:00
Code Issues 32 Releases Wiki Activity

Cleaned up 1.5.4/1.4.8 release notes

Browse Source
This commit is contained in:
Tim Graham
2013-09-15 14:14:26 -04:00
parent aae5a96d57
commit 8d29005524
9 changed files with 108 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
docs/releases/1.6.txt
View File

@@ -780,6 +780,22 @@ as JSON requires string keys, you will likely run into problems if you are
using non-string keys in ``request.session``. See the
:ref:`session_serialization` documentation for more details.
4096-byte limit on passwords
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. note::
This behavior was also added in the Django 1.5.4 and 1.4.8 security
releases.
Historically, Django has imposed no length limit on plaintext
passwords. This enables a denial-of-service attack through submission
of bogus but extremely large passwords, tying up server resources
performing the (expensive, and increasingly expensive with the length
of the password) calculation of the corresponding hash.
Django now imposes a 4096-byte limit on password length, and will fail
authentication with any submitted password of greater length.
Miscellaneous
~~~~~~~~~~~~~