summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorRussell Keith-Magee <russell@keith-magee.com>2013-09-15 13:40:16 +0800
committerRussell Keith-Magee <russell@keith-magee.com>2013-09-15 13:42:23 +0800
commitaae5a96d5754ad34e48b7f673ef2411a3bbc1015 (patch)
tree36dd4a8d23f361edbb2c1346153d7334e4cd5603 /docs
parent351a061497b262e2ef994552d04c31b63d801179 (diff)
Ensure that passwords are never long enough for a DoS.
* Limit the password length to 4096 bytes * Password hashers will raise a ValueError * django.contrib.auth forms will fail validation * Document in release notes that this is a backwards incompatible change Thanks to Josh Wright for the report, and Donald Stufft for the patch. This is a security fix; disclosure to follow shortly.
Diffstat (limited to 'docs')
-rw-r--r--docs/releases/1.7.txt8
1 files changed, 8 insertions, 0 deletions
diff --git a/docs/releases/1.7.txt b/docs/releases/1.7.txt
index 3e247fd211..3456c74ff0 100644
--- a/docs/releases/1.7.txt
+++ b/docs/releases/1.7.txt
@@ -402,6 +402,14 @@ Miscellaneous
Rationale behind this is removal of dependency of non-contrib code on
contrib applications.
+* Passwords longer than 4096 bytes in length will no longer work and will
+ instead raise a ``ValueError`` when using the hasher directory or the
+ built in forms shipped with ``django.contrib.auth`` will fail validation.
+
+ The rationale behind this is a possibility of a Denial of Service attack when
+ using a slow password hasher, such as the default PBKDF2, and sending very
+ large passwords.
+
Features deprecated in 1.7
==========================