added a extra level of protection for long passwords, even if IS_LENGTH validator is missing

2013-09-15 09:40:15 -05:00
parent b0f6dc4e16
commit 7dafb07438
3 changed files with 5 additions and 4 deletions
--- a/2
+++ b/2
@@ -1 +1 @@
-Version 2.6.2-stable+timestamp.2013.09.13.17.43.10
+Version 2.6.2-stable+timestamp.2013.09.15.09.39.16
--- a/applications/admin/controllers/default.py
+++ b/applications/admin/controllers/default.py
@@ -108,7 +108,7 @@ def index():
    if session.authorized:
        redirect(send)
    elif request.vars.password:
-        if verify_password(request.vars.password):
+        if verify_password(request.vars.password[:1024]):
            session.authorized = True
            login_record(True)

--- a/gluon/validators.py
+++ b/gluon/validators.py
@@ -2890,7 +2890,8 @@ class CRYPT(object):
                 key=None,
                 digest_alg='pbkdf2(1000,20,sha512)',
                 min_length=0,
-                 error_message='too short', salt=True):
+                 error_message='too short', salt=True,
+                 max_length=1024):
        """
        important, digest_alg='md5' is not the default hashing algorithm for
        web2py. This is only an example of usage of this function.
@@ -2898,7 +2899,7 @@ class CRYPT(object):
        The actual hash algorithm is determined from the key which is
        generated by web2py in tools.py. This defaults to hmac+sha512.
        """
-        self.key = key
+        self.key = key and key[:max_length]
        self.digest_alg = digest_alg
        self.min_length = min_length
        self.error_message = error_message