** Changed in: keystone
Status: Fix Committed => Fix Released
** Changed in: keystone
Milestone: None => juno-2
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1175904
Title:
passlib trunc_password MAX_PASSWORD_LENGTH password truncation
Status in OpenStack Identity (Keystone):
Fix Released
Bug description:
Grant Murphy originally reported:
* Insecure / bad practice
The trunc_password function attempts to correct and truncate passwords
that are over the MAX_PASSWORD_LENGTH value (default 4096). As the
MAX_PASSWORD_LENGTH field is globally mutable it could be modified
to restrict all passwords to length = 1. This scenario might be unlikely
but generally speaking we should not try to 'fix' invalid input and
continue on processing as if nothing happened.
If this is exploitable it will need a CVE, if not we should still
harden it so it can't be monkeyed with in the future.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1175904/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
