# HG changeset patch # User Marcin Lulek # Date 2017-09-27 08:52:17 # Node ID f22a9ea9665ca1f35323d824cf9e9c5e8b67422f # Parent d6d013155c75faa45be3978eb6c429b91fde0be6 security: limit the maximum password lenght to 72 characters to prevent possible server side resource consumption attack. - bcrypt heavy computation can lead to DOS using a very long password .eg 10**8 lenght. - we allowed this on registration or on password update diff --git a/rhodecode/model/forms.py b/rhodecode/model/forms.py --- a/rhodecode/model/forms.py +++ b/rhodecode/model/forms.py @@ -92,6 +92,7 @@ def LoginForm(): password = v.UnicodeString( strip=False, min=3, + max=72, not_empty=True, messages={ 'empty': _(u'Please enter a password'), @@ -113,21 +114,21 @@ def UserForm(edit=False, available_langu if edit: new_password = All( v.ValidPassword(), - v.UnicodeString(strip=False, min=6, not_empty=False) + v.UnicodeString(strip=False, min=6, max=72, not_empty=False) ) password_confirmation = All( v.ValidPassword(), - v.UnicodeString(strip=False, min=6, not_empty=False), + v.UnicodeString(strip=False, min=6, max=72, not_empty=False), ) admin = v.StringBoolean(if_missing=False) else: password = All( v.ValidPassword(), - v.UnicodeString(strip=False, min=6, not_empty=True) + v.UnicodeString(strip=False, min=6, max=72, not_empty=True) ) password_confirmation = All( v.ValidPassword(), - v.UnicodeString(strip=False, min=6, not_empty=False) + v.UnicodeString(strip=False, min=6, max=72, not_empty=False) ) password_change = v.StringBoolean(if_missing=False) @@ -209,11 +210,11 @@ def RegisterForm(edit=False, old_data={} ) password = All( v.ValidPassword(), - v.UnicodeString(strip=False, min=6, not_empty=True) + v.UnicodeString(strip=False, min=6, max=72, not_empty=True) ) password_confirmation = All( v.ValidPassword(), - v.UnicodeString(strip=False, min=6, not_empty=True) + v.UnicodeString(strip=False, min=6, max=72, not_empty=True) ) active = v.StringBoolean(if_missing=False) firstname = v.UnicodeString(strip=True, min=1, not_empty=False)