github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-06-04 23:36:11 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Limit passwords to 200 characters

Browse Source 
Prevents layer 8 attack.
This commit is contained in:
riking
2014-09-11 12:22:11 -07:00
committed by Robin Ward
parent 216ee9f2f1
commit 2c6d03f87f
8 changed files with 78 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
app/models/user.rb
View File

@ -117,6 +117,10 @@ class User < ActiveRecord::Base
LAST_VISIT = -2
end
def self.max_password_length
200
end
def self.username_length
SiteSetting.min_username_length.to_i..SiteSetting.max_username_length.to_i
end
@ -679,6 +683,7 @@ class User < ActiveRecord::Base
end
def hash_password(password, salt)
raise "password is too long" if password.size > User.max_password_length
Pbkdf2.hash_password(password, salt, Rails.configuration.pbkdf2_iterations, Rails.configuration.pbkdf2_algorithm)
end