This is very similar to 2.6.1 but fixes some problem with a missing admin file (also fixed in 2.6.2) and a potential DoS security issue.
The issue was first discovered in Django https://www.djangoproject.com/weblog/2013/sep/15/security/ We thank them for discovering and reporting it. In web2py 2.5.x and earlier we suffer from the same problem. This is because while the default password validator checks for length, the check is performed after hashing, before inserting the hashed password in database. In 2.6.1/2 we have a different implementation of the hashing algorithm and we do not know how severe the problem is. In any case 2.6.3 fixes the problem by truncating the password to 1024 chars when passed to the CRYPT validator. You should upgrade. Massimo -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
