Comment 3 for bug 1175906
Revision history for this message
| Thierry Carrez (ttx) wrote Re: passlib long password DoS | #3 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
Adding Rob Clark from OSSG for input.
Thinking about it, this is non-authenticated load drive, which can definitely facilitate a DoS, so if we find a good fix for this, I'd rather issue an OSSA about it. How about in the security fix we truncate the password to the first 128/256 characters before feeding it to passlib ? Would that be a good trade-off ?
Alternatively, we can consider this a strengthening issue rather than a vulnerability, and have a configurable value we would truncate to... but that would only be for havana.