Thinking about it, this is non-authenticated load drive, which can definitely facilitate a DoS, so if we find a good fix for this, I'd rather issue an OSSA about it. How about in the security fix we truncate the password to the first 128/256 characters before feeding it to passlib ? Would that be a good trade-off ?
Alternatively, we can consider this a strengthening issue rather than a vulnerability, and have a configurable value we would truncate to... but that would only be for havana.
Adding Rob Clark from OSSG for input.
Thinking about it, this is non-authenticated load drive, which can definitely facilitate a DoS, so if we find a good fix for this, I'd rather issue an OSSA about it. How about in the security fix we truncate the password to the first 128/256 characters before feeding it to passlib ? Would that be a good trade-off ?
Alternatively, we can consider this a strengthening issue rather than a vulnerability, and have a configurable value we would truncate to... but that would only be for havana.