mirrors
/
django
mirror of https://github.com/django/django.git
1
0
Fork 0
Code Issues 16 Releases Wiki Activity

Removed 1.6 release note text regarding password limit length. 

This changed was reverted in 5d74853e15.
This commit is contained in:
Tim Graham 2013-10-17 18:58:24 -04:00
parent 7e5d7a76bf
commit d97bec5ee3
1 changed files with 0 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
docs/releases/1.6.txt
View File

@ -810,22 +810,6 @@ as JSON requires string keys, you will likely run into problems if you are
using non-string keys in ``request.session``. See the
:ref:`session_serialization` documentation for more details.
4096-byte limit on passwords
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. note::
This behavior was also added in the Django 1.5.4 and 1.4.8 security
releases.
Historically, Django has imposed no length limit on plaintext
passwords. This enables a denial-of-service attack through submission
of bogus but extremely large passwords, tying up server resources
performing the (expensive, and increasingly expensive with the length
of the password) calculation of the corresponding hash.
Django now imposes a 4096-byte limit on password length, and will fail
authentication with any submitted password of greater length.
Miscellaneous
~~~~~~~~~~~~~