Re: [web2py] Django vulnerability and web2py

Sun, 15 Sep 2013 06:52:18 -0700 

Web2py King frameworks safely.




         Ovidio Marinho Falcao Neto
                  ITJP.NET.BR
             [email protected]
               83   8826 9088 - Oi
               83   9336 3782 - Claro
                        Brasil



2013/9/15 Massimo Di Pierro <[email protected]>

> A serious DoS vulnerability was found in reported in Django today:
>
>     https://www.djangoproject.com/weblog/2013/sep/15/security/
>
> We use the same default hashing algorithm for password, PBKDF2, so some
> of you may worry about the same vulnerability affecting web2py. Well NO! We
> are safe, This is because web2py always validates (and always did) the
> length of the password strings and it is capped to 256 bytes.
>
> https://github.com/web2py/web2py/blob/master/gluon/dal.py#L6892
>
> This is also the time to point our that web2py (since 2.6.x) uses its own
> implementation of PBKDF2, written by Michele Comitini which is 10x faster
> than the original version used by Flask and Django.
>
> Given this vulnerability (in Django) probably we will modify our library
> so that, if used outside of web2py, there is a max password length enforced
> by the library itself. You may see this patch in the near future. Again
> this does not affect us but may affect others in case they choose to use it.
>
> Massimo
>
> --
> Resources:
> - http://web2py.com
> - http://web2py.com/book (Documentation)
> - http://github.com/web2py/web2py (Source code)
> - https://code.google.com/p/web2py/issues/list (Report Issues)
> ---
> You received this message because you are subscribed to the Google Groups
> "web2py-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/groups/opt_out.
>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to