From aae5a96d5754ad34e48b7f673ef2411a3bbc1015 Mon Sep 17 00:00:00 2001 From: Russell Keith-Magee Date: Sun, 15 Sep 2013 13:40:16 +0800 Subject: Ensure that passwords are never long enough for a DoS. * Limit the password length to 4096 bytes * Password hashers will raise a ValueError * django.contrib.auth forms will fail validation * Document in release notes that this is a backwards incompatible change Thanks to Josh Wright for the report, and Donald Stufft for the patch. This is a security fix; disclosure to follow shortly. --- docs/releases/1.7.txt | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'docs') diff --git a/docs/releases/1.7.txt b/docs/releases/1.7.txt index 3e247fd211..3456c74ff0 100644 --- a/docs/releases/1.7.txt +++ b/docs/releases/1.7.txt @@ -402,6 +402,14 @@ Miscellaneous Rationale behind this is removal of dependency of non-contrib code on contrib applications. +* Passwords longer than 4096 bytes in length will no longer work and will + instead raise a ``ValueError`` when using the hasher directory or the + built in forms shipped with ``django.contrib.auth`` will fail validation. + + The rationale behind this is a possibility of a Denial of Service attack when + using a slow password hasher, such as the default PBKDF2, and sending very + large passwords. + Features deprecated in 1.7 ========================== -- cgit v1.3