From 7dafb07438b4c1d544258951736e1cf3bdaf85ec Mon Sep 17 00:00:00 2001 From: mdipierro Date: Sun, 15 Sep 2013 09:40:15 -0500 Subject: [PATCH] added a extra level of protection for long passwords, even if IS_LENGTH validator is missing --- VERSION | 2 +- applications/admin/controllers/default.py | 2 +- gluon/validators.py | 5 +++-- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/VERSION b/VERSION index 13792e4a..bf445cbb 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -Version 2.6.2-stable+timestamp.2013.09.13.17.43.10 +Version 2.6.2-stable+timestamp.2013.09.15.09.39.16 diff --git a/applications/admin/controllers/default.py b/applications/admin/controllers/default.py index 2a8aae58..5afec708 100644 --- a/applications/admin/controllers/default.py +++ b/applications/admin/controllers/default.py @@ -108,7 +108,7 @@ def index(): if session.authorized: redirect(send) elif request.vars.password: - if verify_password(request.vars.password): + if verify_password(request.vars.password[:1024]): session.authorized = True login_record(True) diff --git a/gluon/validators.py b/gluon/validators.py index e833ac26..d7a0712e 100644 --- a/gluon/validators.py +++ b/gluon/validators.py @@ -2890,7 +2890,8 @@ class CRYPT(object): key=None, digest_alg='pbkdf2(1000,20,sha512)', min_length=0, - error_message='too short', salt=True): + error_message='too short', salt=True, + max_length=1024): """ important, digest_alg='md5' is not the default hashing algorithm for web2py. This is only an example of usage of this function. @@ -2898,7 +2899,7 @@ class CRYPT(object): The actual hash algorithm is determined from the key which is generated by web2py in tools.py. This defaults to hmac+sha512. """ - self.key = key + self.key = key and key[:max_length] self.digest_alg = digest_alg self.min_length = min_length self.error_message = error_message