Bug 1623009 - Long password denial of service in bugzilla.mozilla.org

author David Lawrence <dkl@mozilla.com>

Wed, 29 Apr 2020 06:11:35 +0000 (02:11 -0400)

committer David Lawrence <dkl@mozilla.com>

Wed, 29 Apr 2020 06:11:35 +0000 (02:11 -0400)
author David Lawrence <dkl@mozilla.com>
Wed, 29 Apr 2020 06:11:35 +0000 (02:11 -0400)
committer David Lawrence <dkl@mozilla.com>
Wed, 29 Apr 2020 06:11:35 +0000 (02:11 -0400)
diff --git a/Bugzilla/Constants.pm b/Bugzilla/Constants.pm

index 6b1f0e58a2fcfdc81ead33c1bca88480cd3297f1..0cd18bdf62c91c33875bfaccff677df4dea7719c 100644 (file)
--- a/Bugzilla/Constants.pm
+++ b/Bugzilla/Constants.pm
@@ -46,6 +46,7 @@ use Memoize;
    AUTH_LOCKOUT
  
    USER_PASSWORD_MIN_LENGTH
+  USER_PASSWORD_MAX_LENGTH
  
    LOGIN_OPTIONAL
    LOGIN_NORMAL
@@ -277,9 +278,10 @@ use constant AUTH_DISABLED     => 4;
  use constant AUTH_NO_SUCH_USER => 5;
  use constant AUTH_LOCKOUT      => 6;
  
-# The minimum length a password must have.
+# The minimum and maximum length a password will have.
  # BMO uses 8 characters.
  use constant USER_PASSWORD_MIN_LENGTH => 8;
+use constant USER_PASSWORD_MAX_LENGTH => 4096;
  
  use constant LOGIN_OPTIONAL => 0;
  use constant LOGIN_NORMAL   => 1;
diff --git a/Bugzilla/Util.pm b/Bugzilla/Util.pm

index 2a30d68aecfd47a1b9b818733f28d9fb927dcf36..08ca3ef3926c608ef07e4dd8fde055605c3a68d8 100644 (file)
--- a/Bugzilla/Util.pm
+++ b/Bugzilla/Util.pm
@@ -680,6 +680,10 @@ sub file_mod_time {
  sub bz_crypt {
    my ($password, $salt) = @_;
  
+  # We shorten the password to protect against system
+  # resource exhaustion attacks
+  $password = substr $password, 0, USER_PASSWORD_MAX_LENGTH;
+
    my $algorithm;
    if (!defined $salt) {
author	David Lawrence <dkl@mozilla.com>
	Wed, 29 Apr 2020 06:11:35 +0000 (02:11 -0400)
committer	David Lawrence <dkl@mozilla.com>
	Wed, 29 Apr 2020 06:11:35 +0000 (02:11 -0400)
Bugzilla/Constants.pm		patch \| blob \| blame \| history
Bugzilla/Util.pm		patch \| blob \| blame \| history