# HG changeset patch # User Marcin Lulek # Date 2017-09-27 08:52:17 # Node ID a51e727d5d4713f95b1ee91bdeed1265d12af81f # Parent 9d6857d7641668dcf558b348e978e3bddf7fc3a9 security: limit the maximum password lenght to 72 characters to prevent possible server side resource consumption attack. - bcrypt heavy computation can lead to DOS using a very long password .eg 10**8 lenght. - we allowed this on registration or on password update diff --git a/rhodecode/model/forms.py b/rhodecode/model/forms.py --- a/rhodecode/model/forms.py +++ b/rhodecode/model/forms.py @@ -90,6 +90,7 @@ def LoginForm(): password = v.UnicodeString( strip=False, min=3, + max=72, not_empty=True, messages={ 'empty': _(u'Please enter a password'), @@ -111,21 +112,21 @@ def UserForm(edit=False, available_langu if edit: new_password = All( v.ValidPassword(), - v.UnicodeString(strip=False, min=6, not_empty=False) + v.UnicodeString(strip=False, min=6, max=72, not_empty=False) ) password_confirmation = All( v.ValidPassword(), - v.UnicodeString(strip=False, min=6, not_empty=False), + v.UnicodeString(strip=False, min=6, max=72, not_empty=False), ) admin = v.StringBoolean(if_missing=False) else: password = All( v.ValidPassword(), - v.UnicodeString(strip=False, min=6, not_empty=True) + v.UnicodeString(strip=False, min=6, max=72, not_empty=True) ) password_confirmation = All( v.ValidPassword(), - v.UnicodeString(strip=False, min=6, not_empty=False) + v.UnicodeString(strip=False, min=6, max=72, not_empty=False) ) password_change = v.StringBoolean(if_missing=False) @@ -207,11 +208,11 @@ def RegisterForm(edit=False, old_data={} ) password = All( v.ValidPassword(), - v.UnicodeString(strip=False, min=6, not_empty=True) + v.UnicodeString(strip=False, min=6, max=72, not_empty=True) ) password_confirmation = All( v.ValidPassword(), - v.UnicodeString(strip=False, min=6, not_empty=True) + v.UnicodeString(strip=False, min=6, max=72, not_empty=True) ) active = v.StringBoolean(if_missing=False) firstname = v.UnicodeString(strip=True, min=1, not_empty=False)