I was wrong. The IS_LENGTH is default but overwritten by Auth. I am not sure we have the vulnerability of not since we use a different implementation of PBKDF2.
I have released 2.6.3 to address the issue. Massimo On Sunday, 15 September 2013 08:32:12 UTC-5, Massimo Di Pierro wrote: > > A serious DoS vulnerability was found in reported in Django today: > > https://www.djangoproject.com/weblog/2013/sep/15/security/ > > We use the same default hashing algorithm for password, PBKDF2, so some > of you may worry about the same vulnerability affecting web2py. Well NO! We > are safe, This is because web2py always validates (and always did) the > length of the password strings and it is capped to 256 bytes. > > https://github.com/web2py/web2py/blob/master/gluon/dal.py#L6892 > > This is also the time to point our that web2py (since 2.6.x) uses its own > implementation of PBKDF2, written by Michele Comitini which is 10x faster > than the original version used by Flask and Django. > > Given this vulnerability (in Django) probably we will modify our library > so that, if used outside of web2py, there is a max password length enforced > by the library itself. You may see this patch in the near future. Again > this does not affect us but may affect others in case they choose to use it. > > Massimo > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
