django/docs/releases/1.5.4.txt

==========================
Django 1.5.4 release notes
==========================

*September 14, 2013*

This is Django 1.5.4, the fourth release in the Django 1.5 series. It addresses
two security issues and one bug.

Denial-of-service via password hashers
======================================

In previous versions of Django, no limit was imposed on the plaintext
length of a password. This allowed a denial-of-service attack through
submission of bogus but extremely large passwords, tying up server
resources performing the (expensive, and increasingly expensive with
the length of the password) calculation of the corresponding hash.

As of 1.5.4, Django's authentication framework imposes a 4096-byte
limit on passwords, and will fail authentication with any submitted
password of greater length.

Corrected usage of :func:`~django.views.decorators.debug.sensitive_post_parameters` in :mod:`django.contrib.auth`’s admin
=========================================================================================================================

The decoration of the ``add_view`` and ``user_change_password`` user admin
views with :func:`~django.views.decorators.debug.sensitive_post_parameters`
did not include :func:`~django.utils.decorators.method_decorator` (required
since the views are methods) resulting in the decorator not being properly
applied. This usage has been fixed and
:func:`~django.views.decorators.debug.sensitive_post_parameters` will now
throw an exception if it's improperly used.

Bugfixes
========

* Fixed a bug that prevented a ``QuerySet`` that uses
  :meth:`~django.db.models.query.QuerySet.prefetch_related` from being pickled
  and unpickled more than once (the second pickling attempt raised an
  exception) (#21102).