diff options
| author | Alex Gaynor <alex.gaynor@gmail.com> | 2010-12-23 03:45:08 +0000 |
|---|---|---|
| committer | Alex Gaynor <alex.gaynor@gmail.com> | 2010-12-23 03:45:08 +0000 |
| commit | 6819be1ea17ace34ae3a5c31ab0be960e99fcb85 (patch) | |
| tree | 1b18d86cf3c6fac406b98f6ec796385ea057d35d /django/utils | |
| parent | 732198ed5c2a127249970e0cd4218d093a38e9a2 (diff) | |
Fix a security issue in the auth system. Disclosure and new release forthcoming.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15032 bcc190cf-cafb-0310-a4f2-bffc1f526a37
Diffstat (limited to 'django/utils')
| -rw-r--r-- | django/utils/http.py | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/django/utils/http.py b/django/utils/http.py index 610fcbf685..e18d8dd29c 100644 --- a/django/utils/http.py +++ b/django/utils/http.py @@ -73,8 +73,13 @@ def http_date(epoch_seconds=None): def base36_to_int(s): """ - Convertd a base 36 string to an integer + Converts a base 36 string to an ``int``. To prevent + overconsumption of server resources, raises ``ValueError` if the + input is longer than 13 base36 digits (13 digits is sufficient to + base36-encode any 64-bit integer). """ + if len(s) > 13: + raise ValueError("Base36 input too large") return int(s, 36) def int_to_base36(i): |
