0
0
mirror of https://github.com/django/django.git synced 2024-12-01 15:42:04 +01:00

Removed 1.6 release note text regarding password limit length.

This changed was reverted in 5d74853e15.
This commit is contained in:
Tim Graham 2013-10-17 18:58:24 -04:00
parent 7e5d7a76bf
commit d97bec5ee3

View File

@ -810,22 +810,6 @@ as JSON requires string keys, you will likely run into problems if you are
using non-string keys in ``request.session``. See the
:ref:`session_serialization` documentation for more details.
4096-byte limit on passwords
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. note::
This behavior was also added in the Django 1.5.4 and 1.4.8 security
releases.
Historically, Django has imposed no length limit on plaintext
passwords. This enables a denial-of-service attack through submission
of bogus but extremely large passwords, tying up server resources
performing the (expensive, and increasingly expensive with the length
of the password) calculation of the corresponding hash.
Django now imposes a 4096-byte limit on password length, and will fail
authentication with any submitted password of greater length.
Miscellaneous
~~~~~~~~~~~~~