[1.6.x] Ensure that passwords are never long enough for a DoS.

* Limit the password length to 4096 bytes * Password hashers will raise a ValueError * django.contrib.auth forms will fail validation * Document in release notes that this is a backwards incompatible change Thanks to Josh Wright for the report, and Donald Stufft for the patch. This is a security fix; disclosure to follow shortly. Backport of aae5a96d5754ad34e48b7f673ef2411a3bbc1015 from master.
author: Russell Keith-Magee <russell@keith-magee.com> 2013-09-15 13:46:16 +0800
committer: Russell Keith-Magee <russell@keith-magee.com> 2013-09-15 13:46:16 +0800
commit: 5ecc0f828ebe270cfc92a0a2bfb4268800907904 (patch)
tree: 7e9e3559ababb4f1158f5d72d67a1fc89d824527 /docs/releases/1.6.txt
parent: 4c4954a3c133e824390296f6bb444622a8b25331 (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/docs/releases/1.6.txt b/docs/releases/1.6.txt
index 2d1a24b844..8bbc483542 100644
--- a/docs/releases/1.6.txt
+++ b/docs/releases/1.6.txt
@@ -869,6 +869,14 @@ Miscellaneous
   to prevent django from deleting the temporary .pot file it generates before
   creating the .po file.
 
+* Passwords longer than 4096 bytes in length will no longer work and will
+  instead raise a ``ValueError`` when using the hasher directory or the
+  built in forms shipped with ``django.contrib.auth`` will fail validation.
+
+  The rationale behind this is a possibility of a Denial of Service attack when
+  using a slow password hasher, such as the default PBKDF2, and sending very
+  large passwords.
+
 Features deprecated in 1.6
 ==========================
author	Russell Keith-Magee <russell@keith-magee.com>	2013-09-15 13:46:16 +0800
committer	Russell Keith-Magee <russell@keith-magee.com>	2013-09-15 13:46:16 +0800
commit	5ecc0f828ebe270cfc92a0a2bfb4268800907904 (patch)
tree	7e9e3559ababb4f1158f5d72d67a1fc89d824527 /docs/releases/1.6.txt
parent	4c4954a3c133e824390296f6bb444622a8b25331 (diff)