[Openstack-security] [Bug 1175904] Re: passlib trunc_password MAX_PASSWORD_LENGTH password truncation

OpenStack Infra 1175904 at bugs.launchpad.net
Mon Jun 16 18:38:59 UTC 2014 

Reviewed:  https://review.openstack.org/77325
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=94a2053cd05cabee2e4233ef33e1f116201d9368
Submitter: Jenkins
Branch:    master

commit 94a2053cd05cabee2e4233ef33e1f116201d9368
Author: Li Ma <skywalker.nick at gmail.com>
Date:   Fri Feb 28 18:54:35 2014 -0800

    Password trunction makes password insecure
    
    The trunc_password function attempts to correct and truncate
    password. It is not recommended to 'fix' invalid input and
    continue on processing and logging it. Instead, strict check
    is introduced to validate password. If a password exceeds the
    maximum length, an HTTP 403 Forbidden error is thrown.
    
    In order to keep compatibility, an option 'strict_password_check'
    is also introduced to let operator decide which method to use.
    
    DocImpact
    Change-Id: I560daa843b94a05412af59a059de5a98bad2925e
    Closes-Bug: #1175904


** Changed in: keystone
       Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1175904

Title:
  passlib trunc_password MAX_PASSWORD_LENGTH password truncation

Status in OpenStack Identity (Keystone):
  Fix Committed

Bug description:
  Grant Murphy originally reported:

  * Insecure / bad practice

     The trunc_password function attempts to correct and truncate passwords 
     that are over the MAX_PASSWORD_LENGTH value (default 4096). As the 
     MAX_PASSWORD_LENGTH field is globally mutable it could be modified 
     to restrict all passwords to length = 1. This scenario might be unlikely 
     but generally speaking we should not try to 'fix' invalid input and 
     continue on processing as if nothing happened. 

  If this is exploitable it will need a CVE, if not we should still
  harden it so it can't be monkeyed with in the future.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1175904/+subscriptions

More information about the Openstack-security mailing list