Bug #90179 for Crypt-PBKDF2: Enhancement Request: Limit the password length

RT for rt.cpan.org

This queue is for tickets about the Crypt-PBKDF2 CPAN distribution.

Report information

The Basics

Id:	90179
Status:	resolved
Priority:	0/
Queue:	Crypt-PBKDF2

People

Owner:	ARODLAND [...] cpan.org
Requestors:	gabor [...] szabgab.com
Cc:
AdminCc:

Bug Information

Severity:	(no value)
Broken in:	(no value)
Fixed in:	0.142390

History Show all quoted text

Sat Nov 09 07:45:22 2013 gabor [...] szabgab.com - Ticket created

Subject:	Enhancement Request: Limit the password length
Date:	Sat, 9 Nov 2013 14:45:06 +0200
To:	bug-Crypt-PBKDF2 [...] rt.cpan.org
From:	Gabor Szabo <gabor [...] szabgab.com>

Django had a security related issue by letting any length of password in https://www.djangoproject.com/weblog/2013/sep/15/security/ It might be a good idea to have a limit to the password length that could be set by the module-user, but that would have a reasonable default. 64 already seems enough. So both generate() and validate() will croak if a password longer than this was passed.

Mon Sep 08 15:23:20 2014 ARODLAND [...] cpan.org - Correspondence added

On Sat Nov 09 07:45:22 2013, gabor@szabgab.com wrote: Show quoted text

> Django had a security related issue by letting any length of password in > https://www.djangoproject.com/weblog/2013/sep/15/security/ > > It might be a good idea to have a limit to the password length > that could be set by the module-user, but that would have a reasonable > default. 64 already seems enough. > > So both generate() and validate() will croak if a password longer than this > was passed.

Good suggestion. I've added it, but without a default for now.

Mon Sep 08 15:23:21 2014 The RT System itself - Status changed from 'new' to 'open'

Mon Sep 08 15:23:22 2014 ARODLAND [...] cpan.org - Status changed from 'open' to 'resolved'

Mon Sep 08 15:23:22 2014 ARODLAND [...] cpan.org - Taken

Mon Sep 08 15:23:22 2014 ARODLAND [...] cpan.org - Fixed in 0.142390 added