[1.5.x] Ensure that passwords are never long enough for a DoS.

* Limit the password length to 4096 bytes * Password hashers will raise a ValueError * django.contrib.auth forms will fail validation * Document in release notes that this is a backwards incompatible change Thanks to Josh Wright for the report, and Donald Stufft for the patch. This is a security fix; disclosure to follow shortly. Backport of aae5a96d5754ad34e48b7f673ef2411a3bbc1015 from master.
author: Russell Keith-Magee <russell@keith-magee.com> 2013-09-15 13:48:15 +0800
committer: Russell Keith-Magee <russell@keith-magee.com> 2013-09-15 13:48:15 +0800
commit: 22b74fa09d7ccbc8c52270d648a0da7f3f0fa2bc (patch)
tree: 504b5c88849fc2c1dd6f22d83c4cd5e6c0ab1d2a /django/contrib/auth/forms.py
parent: e66fe357b2324f984e91392286b3b0e6b5dd627e (diff)
1 files changed, 35 insertions, 13 deletions
diff --git a/django/contrib/auth/forms.py b/django/contrib/auth/forms.py
index cbce8ad6e2..d191635a9b 100644
--- a/django/contrib/auth/forms.py
+++ b/django/contrib/auth/forms.py
@@ -12,7 +12,9 @@ from django.utils.translation import ugettext, ugettext_lazy as _
 
 from django.contrib.auth import authenticate, get_user_model
 from django.contrib.auth.models import User
-from django.contrib.auth.hashers import UNUSABLE_PASSWORD, identify_hasher
+from django.contrib.auth.hashers import (
+    MAXIMUM_PASSWORD_LENGTH, UNUSABLE_PASSWORD, identify_hasher,
+)
 from django.contrib.auth.tokens import default_token_generator
 from django.contrib.sites.models import get_current_site
 
@@ -75,9 +77,10 @@ class UserCreationForm(forms.ModelForm):
             'invalid': _("This value may contain only letters, numbers and "
                          "@/./+/-/_ characters.")})
     password1 = forms.CharField(label=_("Password"),
-        widget=forms.PasswordInput)
+        widget=forms.PasswordInput, max_length=MAXIMUM_PASSWORD_LENGTH)
     password2 = forms.CharField(label=_("Password confirmation"),
         widget=forms.PasswordInput,
+        max_length=MAXIMUM_PASSWORD_LENGTH,
         help_text=_("Enter the same password as above, for verification."))
 
     class Meta:
@@ -145,7 +148,11 @@ class AuthenticationForm(forms.Form):
     username/password logins.
     """
     username = forms.CharField(max_length=254)
-    password = forms.CharField(label=_("Password"), widget=forms.PasswordInput)
+    password = forms.CharField(
+        label=_("Password"),
+        widget=forms.PasswordInput,
+        max_length=MAXIMUM_PASSWORD_LENGTH,
+    )
 
     error_messages = {
         'invalid_login': _("Please enter a correct %(username)s and password. "
@@ -269,10 +276,16 @@ class SetPasswordForm(forms.Form):
     error_messages = {
         'password_mismatch': _("The two password fields didn't match."),
     }
-    new_password1 = forms.CharField(label=_("New password"),
-                                    widget=forms.PasswordInput)
-    new_password2 = forms.CharField(label=_("New password confirmation"),
-                                    widget=forms.PasswordInput)
+    new_password1 = forms.CharField(
+        label=_("New password"),
+        widget=forms.PasswordInput,
+        max_length=MAXIMUM_PASSWORD_LENGTH,
+    )
+    new_password2 = forms.CharField(
+        label=_("New password confirmation"),
+        widget=forms.PasswordInput,
+        max_length=MAXIMUM_PASSWORD_LENGTH,
+    )
 
     def __init__(self, user, *args, **kwargs):
         self.user = user
@@ -303,8 +316,11 @@ class PasswordChangeForm(SetPasswordForm):
         'password_incorrect': _("Your old password was entered incorrectly. "
                                 "Please enter it again."),
     })
-    old_password = forms.CharField(label=_("Old password"),
-                                   widget=forms.PasswordInput)
+    old_password = forms.CharField(
+        label=_("Old password"),
+        widget=forms.PasswordInput,
+        max_length=MAXIMUM_PASSWORD_LENGTH,
+    )
 
     def clean_old_password(self):
         """
@@ -329,10 +345,16 @@ class AdminPasswordChangeForm(forms.Form):
     error_messages = {
         'password_mismatch': _("The two password fields didn't match."),
     }
-    password1 = forms.CharField(label=_("Password"),
-                                widget=forms.PasswordInput)
-    password2 = forms.CharField(label=_("Password (again)"),
-                                widget=forms.PasswordInput)
+    password1 = forms.CharField(
+        label=_("Password"),
+        widget=forms.PasswordInput,
+        max_length=MAXIMUM_PASSWORD_LENGTH,
+    )
+    password2 = forms.CharField(
+        label=_("Password (again)"),
+        widget=forms.PasswordInput,
+        max_length=MAXIMUM_PASSWORD_LENGTH,
+    )
 
     def __init__(self, user, *args, **kwargs):
         self.user = user
author	Russell Keith-Magee <russell@keith-magee.com>	2013-09-15 13:48:15 +0800
committer	Russell Keith-Magee <russell@keith-magee.com>	2013-09-15 13:48:15 +0800
commit	22b74fa09d7ccbc8c52270d648a0da7f3f0fa2bc (patch)
tree	504b5c88849fc2c1dd6f22d83c4cd5e6c0ab1d2a /django/contrib/auth/forms.py
parent	e66fe357b2324f984e91392286b3b0e6b5dd627e (diff)