diff options
| author | Russell Keith-Magee <russell@keith-magee.com> | 2013-09-15 13:40:16 +0800 |
|---|---|---|
| committer | Russell Keith-Magee <russell@keith-magee.com> | 2013-09-15 13:42:23 +0800 |
| commit | aae5a96d5754ad34e48b7f673ef2411a3bbc1015 (patch) | |
| tree | 36dd4a8d23f361edbb2c1346153d7334e4cd5603 /docs | |
| parent | 351a061497b262e2ef994552d04c31b63d801179 (diff) | |
Ensure that passwords are never long enough for a DoS.
* Limit the password length to 4096 bytes
* Password hashers will raise a ValueError
* django.contrib.auth forms will fail validation
* Document in release notes that this is a backwards incompatible change
Thanks to Josh Wright for the report, and Donald Stufft for the patch.
This is a security fix; disclosure to follow shortly.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/1.7.txt | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/docs/releases/1.7.txt b/docs/releases/1.7.txt index 3e247fd211..3456c74ff0 100644 --- a/docs/releases/1.7.txt +++ b/docs/releases/1.7.txt @@ -402,6 +402,14 @@ Miscellaneous Rationale behind this is removal of dependency of non-contrib code on contrib applications. +* Passwords longer than 4096 bytes in length will no longer work and will + instead raise a ``ValueError`` when using the hasher directory or the + built in forms shipped with ``django.contrib.auth`` will fail validation. + + The rationale behind this is a possibility of a Denial of Service attack when + using a slow password hasher, such as the default PBKDF2, and sending very + large passwords. + Features deprecated in 1.7 ========================== |
