diff options
author | Eli Collins <elic@assurancetechnologies.com> | 2012-04-09 19:19:41 -0400 |
---|---|---|
committer | Eli Collins <elic@assurancetechnologies.com> | 2012-04-09 19:19:41 -0400 |
commit | ce8e7d2438a3804b50e9af2712302de8d72c9f50 (patch) | |
tree | 49628955655aca237687660f94938d0652d271cc /passlib/utils | |
parent | 34f766f4a2f11b19ce233e136e435c131531e42c (diff) | |
download | passlib-ce8e7d2438a3804b50e9af2712302de8d72c9f50.tar.gz |
*all* hashes now throw PasswordSizeError if password is larger than 4096 chars; to prevent DOS issues.
Diffstat (limited to 'passlib/utils')
-rw-r--r-- | passlib/utils/__init__.py | 3 | ||||
-rw-r--r-- | passlib/utils/handlers.py | 10 |
2 files changed, 12 insertions, 1 deletions
diff --git a/passlib/utils/__init__.py b/passlib/utils/__init__.py index 24173f7..e8e5b27 100644 --- a/passlib/utils/__init__.py +++ b/passlib/utils/__init__.py @@ -105,6 +105,9 @@ _BEMPTY = b('') _UEMPTY = u("") _USPACE = u(" ") +# maximum password size which passlib will allow; see exc.PasswordSizeError +MAX_PASSWORD_SIZE = int(os.environ.get("PASSLIB_MAX_PASSWORD_SIZE") or 4096) + #================================================================================= #decorators and meta helpers #================================================================================= diff --git a/passlib/utils/handlers.py b/passlib/utils/handlers.py index 2d283c5..7c8b747 100644 --- a/passlib/utils/handlers.py +++ b/passlib/utils/handlers.py @@ -13,12 +13,14 @@ import os from warnings import warn # site # pkg +import passlib.exc as exc from passlib.exc import MissingBackendError, PasslibConfigWarning, \ PasslibHashWarning from passlib.registry import get_crypt_handler from passlib.utils import classproperty, consteq, getrandstr, getrandbytes,\ BASE64_CHARS, HASH64_CHARS, rng, to_native_str, \ - is_crypt_handler, deprecated_function, to_unicode + is_crypt_handler, deprecated_function, to_unicode, \ + MAX_PASSWORD_SIZE from passlib.utils.compat import b, join_byte_values, bytes, irange, u, \ uascii_to_str, join_unicode, unicode, str_to_uascii # local @@ -442,6 +444,8 @@ class GenericHandler(object): @classmethod def genhash(cls, secret, config, **context): + if secret and len(secret) > MAX_PASSWORD_SIZE: + raise exc.PasswordSizeError() self = cls.from_string(config, **context) self.checksum = self._calc_checksum(secret) return self.to_string() @@ -458,6 +462,8 @@ class GenericHandler(object): #========================================================= @classmethod def encrypt(cls, secret, **kwds): + if secret and len(secret) > MAX_PASSWORD_SIZE: + raise exc.PasswordSizeError() self = cls(use_defaults=True, **kwds) self.checksum = self._calc_checksum(secret) return self.to_string() @@ -467,6 +473,8 @@ class GenericHandler(object): # NOTE: classes with multiple checksum encodings should either # override this method, or ensure that from_string() / _norm_checksum() # ensures .checksum always uses a single canonical representation. + if secret and len(secret) > MAX_PASSWORD_SIZE: + raise exc.PasswordSizeError() self = cls.from_string(hash, **context) chk = self.checksum if chk is None: |