Removed 1.6 release note text regarding password limit length.
This changed was reverted in 5d74853e15.
This commit is contained in:
Tim Graham
parent
7e5d7a76bf
commit
d97bec5ee3
|
|
@ -810,22 +810,6 @@ as JSON requires string keys, you will likely run into problems if you are
|
|||
using non-string keys in ``request.session``. See the
|
||||
:ref:`session_serialization` documentation for more details.
|
||||
|
||||
4096-byte limit on passwords
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
.. note::
|
||||
This behavior was also added in the Django 1.5.4 and 1.4.8 security
|
||||
releases.
|
||||
|
||||
Historically, Django has imposed no length limit on plaintext
|
||||
passwords. This enables a denial-of-service attack through submission
|
||||
of bogus but extremely large passwords, tying up server resources
|
||||
performing the (expensive, and increasingly expensive with the length
|
||||
of the password) calculation of the corresponding hash.
|
||||
|
||||
Django now imposes a 4096-byte limit on password length, and will fail
|
||||
authentication with any submitted password of greater length.
|
||||
|
||||
Miscellaneous
|
||||
~~~~~~~~~~~~~
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue