From: David Lawrence <dkl@mozilla.com>
Date: Wed, 29 Apr 2020 06:11:35 +0000 (-0400)
Subject: Bug 1623009 - Long password denial of service in bugzilla.mozilla.org
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0525c3198c179b41706fcd4c0d095941f9cae5f3;p=thirdparty%2Fbugzilla.git

Bug 1623009 - Long password denial of service in bugzilla.mozilla.org
---

diff --git a/Bugzilla/Constants.pm b/Bugzilla/Constants.pm
index 6b1f0e58a..0cd18bdf6 100644
--- a/Bugzilla/Constants.pm
+++ b/Bugzilla/Constants.pm
@@ -46,6 +46,7 @@ use Memoize;
   AUTH_LOCKOUT
 
   USER_PASSWORD_MIN_LENGTH
+  USER_PASSWORD_MAX_LENGTH
 
   LOGIN_OPTIONAL
   LOGIN_NORMAL
@@ -277,9 +278,10 @@ use constant AUTH_DISABLED     => 4;
 use constant AUTH_NO_SUCH_USER => 5;
 use constant AUTH_LOCKOUT      => 6;
 
-# The minimum length a password must have.
+# The minimum and maximum length a password will have.
 # BMO uses 8 characters.
 use constant USER_PASSWORD_MIN_LENGTH => 8;
+use constant USER_PASSWORD_MAX_LENGTH => 4096;
 
 use constant LOGIN_OPTIONAL => 0;
 use constant LOGIN_NORMAL   => 1;
diff --git a/Bugzilla/Util.pm b/Bugzilla/Util.pm
index 2a30d68ae..08ca3ef39 100644
--- a/Bugzilla/Util.pm
+++ b/Bugzilla/Util.pm
@@ -680,6 +680,10 @@ sub file_mod_time {
 sub bz_crypt {
   my ($password, $salt) = @_;
 
+  # We shorten the password to protect against system
+  # resource exhaustion attacks
+  $password = substr $password, 0, USER_PASSWORD_MAX_LENGTH;
+
   my $algorithm;
   if (!defined $salt) {