innov
/
django1
1
0
Fork 0
Code Issues Pull Requests 1 Projects Releases Wiki Activity

[1.6.x] Removed 1.6 release note text regarding password limit length. 

This changed was reverted in 5d74853e15.

Backport of d97bec5ee3 from master
This commit is contained in:
Tim Graham 2013-10-17 18:58:24 -04:00
parent b2f9c74ed1
commit 37afcbeb92
1 changed files with 0 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
docs/releases/1.6.txt
View File

@ -810,22 +810,6 @@ as JSON requires string keys, you will likely run into problems if you are
using non-string keys in ``request.session``. See the using non-string keys in ``request.session``. See the
:ref:`session_serialization` documentation for more details. :ref:`session_serialization` documentation for more details.
4096-byte limit on passwords
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. note::
This behavior was also added in the Django 1.5.4 and 1.4.8 security
releases.
Historically, Django has imposed no length limit on plaintext
passwords. This enables a denial-of-service attack through submission
of bogus but extremely large passwords, tying up server resources
performing the (expensive, and increasingly expensive with the length
of the password) calculation of the corresponding hash.
Django now imposes a 4096-byte limit on password length, and will fail
authentication with any submitted password of greater length.
Miscellaneous Miscellaneous
~~~~~~~~~~~~~ ~~~~~~~~~~~~~