|
|
@@ -810,22 +810,6 @@ as JSON requires string keys, you will likely run into problems if you are
|
|
|
using non-string keys in ``request.session``. See the
|
|
|
:ref:`session_serialization` documentation for more details.
|
|
|
|
|
|
-4096-byte limit on passwords
|
|
|
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
-
|
|
|
-.. note::
|
|
|
- This behavior was also added in the Django 1.5.4 and 1.4.8 security
|
|
|
- releases.
|
|
|
-
|
|
|
-Historically, Django has imposed no length limit on plaintext
|
|
|
-passwords. This enables a denial-of-service attack through submission
|
|
|
-of bogus but extremely large passwords, tying up server resources
|
|
|
-performing the (expensive, and increasingly expensive with the length
|
|
|
-of the password) calculation of the corresponding hash.
|
|
|
-
|
|
|
-Django now imposes a 4096-byte limit on password length, and will fail
|
|
|
-authentication with any submitted password of greater length.
|
|
|
-
|
|
|
Miscellaneous
|
|
|
~~~~~~~~~~~~~
|
|
|
|
Tim Graham