33 lines
1.5 KiB
Plaintext
33 lines
1.5 KiB
Plaintext
==========================
|
||
Django 1.4.8 release notes
|
||
==========================
|
||
|
||
*September 14, 2013*
|
||
|
||
Django 1.4.8 fixes two security issues present in previous Django releases in
|
||
the 1.4 series.
|
||
|
||
Denial-of-service via password hashers
|
||
--------------------------------------
|
||
|
||
In previous versions of Django, no limit was imposed on the plaintext
|
||
length of a password. This allowed a denial-of-service attack through
|
||
submission of bogus but extremely large passwords, tying up server
|
||
resources performing the (expensive, and increasingly expensive with
|
||
the length of the password) calculation of the corresponding hash.
|
||
|
||
As of 1.4.8, Django's authentication framework imposes a 4096-byte
|
||
limit on passwords and will fail authentication with any submitted
|
||
password of greater length.
|
||
|
||
Corrected usage of :func:`~django.views.decorators.debug.sensitive_post_parameters` in :mod:`django.contrib.auth`’s admin
|
||
-------------------------------------------------------------------------------------------------------------------------
|
||
|
||
The decoration of the ``add_view`` and ``user_change_password`` user admin
|
||
views with :func:`~django.views.decorators.debug.sensitive_post_parameters`
|
||
did not include :func:`~django.utils.decorators.method_decorator` (required
|
||
since the views are methods) resulting in the decorator not being properly
|
||
applied. This usage has been fixed and
|
||
:func:`~django.views.decorators.debug.sensitive_post_parameters` will now
|
||
throw an exception if it's improperly used.
|