From 5ecc0f828ebe270cfc92a0a2bfb4268800907904 Mon Sep 17 00:00:00 2001 From: Russell Keith-Magee Date: Sun, 15 Sep 2013 13:46:16 +0800 Subject: [1.6.x] Ensure that passwords are never long enough for a DoS. * Limit the password length to 4096 bytes * Password hashers will raise a ValueError * django.contrib.auth forms will fail validation * Document in release notes that this is a backwards incompatible change Thanks to Josh Wright for the report, and Donald Stufft for the patch. This is a security fix; disclosure to follow shortly. Backport of aae5a96d5754ad34e48b7f673ef2411a3bbc1015 from master. --- docs/releases/1.6.txt | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'docs') diff --git a/docs/releases/1.6.txt b/docs/releases/1.6.txt index 2d1a24b844..8bbc483542 100644 --- a/docs/releases/1.6.txt +++ b/docs/releases/1.6.txt @@ -869,6 +869,14 @@ Miscellaneous to prevent django from deleting the temporary .pot file it generates before creating the .po file. +* Passwords longer than 4096 bytes in length will no longer work and will + instead raise a ``ValueError`` when using the hasher directory or the + built in forms shipped with ``django.contrib.auth`` will fail validation. + + The rationale behind this is a possibility of a Denial of Service attack when + using a slow password hasher, such as the default PBKDF2, and sending very + large passwords. + Features deprecated in 1.6 ========================== -- cgit v1.3