Django Security Release - 1.5.4

Sometimes we do releases that fix things that are kinda hard to exploit, or mostly are just hardening existing stuff to make it even better.<p>Sometimes we do releases because there&#x27;s a serious exploitable thing in the wild.<p>This is the latter: it&#x27;s a DoS vector, and it got out via a posting to a public mailing list. Please do not hold off on upgrading.

FYI,<p>- bcrypt can have passwords up to 72 bytes (depending on implementation) due to its nature of feeding password into a block cipher, and Blowfish having max 448 bit keys but some implementations allowing 576 bits (see <a href="https://en.wikipedia.org/wiki/Blowfish_(cipher)#The_algorithm" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Blowfish_(cipher)#The_algorith...</a>)<p>- scrypt accepts passwords of unlimited length, however the computational&#x2F;memory cost doesn&#x27;t depend on password length, as the first step in scrypt is expanding (or compressing) password and salt with 1-round PBKDF2, which is basically HMAC in counter mode.

Some people deride it as &quot;C programmer mentality&quot; when fields have a fixed maximum size. I too used to think having no limits at all was the best approach in most scenarios. But for many user input data, there is a point at which a longer value is complete nonsense. The 4096-character password length limit Django will now employ seems quite a bit longer than absolutely necessary; hopefully it sufficiently addresses the bug. As for the choice of 4096, well, I would have chosen 4000 (or 1000) simply because it&#x27;s more comprehensible from an end-user perspective.<p>When designing such systems, also consider that users sometimes accidentally copy-paste entire documents into text fields--given the number of users Django has, if a site has no input-field length limit, it&#x27;s downright likely that someone will eventually paste a megabyte &quot;password&quot; in there with no ill intention.

Just for kicks, I timed how long it took to hash a 1Mb password on an EC2 small instance:<p>&gt;&gt;&gt; timeit.timeit(&#x27;make_password(a, &quot;asdfasdfasd&quot;)&#x27;, setup=&quot;a = &#x27;a&#x27; * 1024 * 1024; from django.contrib.auth.hashers import make_password;&quot;, number=1) 206.77019500732422

What I believe to be the relevant post that prompted these releases: <a href="http://www.mail-archive.com/django-developers@googlegroups.com/msg38236.html" rel="nofollow">http:&#x2F;&#x2F;www.mail-archive.com&#x2F;django-developers@googlegroups.c...</a>