A serious DoS vulnerability was found in reported in Django today:
https://www.djangoproject.com/weblog/2013/sep/15/security/
We use the same default hashing algorithm for password, PBKDF2, so some of
you may worry about the same vulnerability affecting web2py. Well NO! We
are safe, This is because web2py always validates (and always did) the
length of the password strings and it is capped to 256 bytes.
https://github.com/web2py/web2py/blob/master/gluon/dal.py#L6892
This is also the time to point our that web2py (since 2.6.x) uses its own
implementation of PBKDF2, written by Michele Comitini which is 10x faster
than the original version used by Flask and Django.
Given this vulnerability (in Django) probably we will modify our library so
that, if used outside of web2py, there is a max password length enforced by
the library itself. You may see this patch in the near future. Again this
does not affect us but may affect others in case they choose to use it.
Massimo
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
