[Openstack-security] [Bug 1175904] Re: passlib trunc_password MAX_PASSWORD_LENGTH password truncation

Li Ma skywalker.nick at gmail.com
Thu Aug 22 19:30:36 UTC 2013


** Changed in: keystone
     Assignee: (unassigned) => Li Ma (nick-ma-b)

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1175904

Title:
  passlib trunc_password MAX_PASSWORD_LENGTH password truncation

Status in OpenStack Identity (Keystone):
  Confirmed

Bug description:
  Grant Murphy originally reported:

  * Insecure / bad practice

     The trunc_password function attempts to correct and truncate passwords 
     that are over the MAX_PASSWORD_LENGTH value (default 4096). As the 
     MAX_PASSWORD_LENGTH field is globally mutable it could be modified 
     to restrict all passwords to length = 1. This scenario might be unlikely 
     but generally speaking we should not try to 'fix' invalid input and 
     continue on processing as if nothing happened. 

  If this is exploitable it will need a CVE, if not we should still
  harden it so it can't be monkeyed with in the future.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1175904/+subscriptions




More information about the Openstack-security mailing list