Reviewed: https://review.openstack.org/98942 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=b3f4e299e8c47ede4e39744fa8c46f66fb1f4173 Submitter: Jenkins Branch: master commit b3f4e299e8c47ede4e39744fa8c46f66fb1f4173 Author: Li Ma <skywalker.nick at gmail.com> Date: Wed Jun 18 19:16:52 2014 -0700 Fix the typo and reformat the comments for the added option Change-Id: I01c471976f2c6d80bfe629b61ab75b81d6cabb1a Related-Bug: #1175904 -- You received this bug notification because you are a member of OpenStack Security Group, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1175904 Title: passlib trunc_password MAX_PASSWORD_LENGTH password truncation Status in OpenStack Identity (Keystone): Fix Committed Bug description: Grant Murphy originally reported: * Insecure / bad practice The trunc_password function attempts to correct and truncate passwords that are over the MAX_PASSWORD_LENGTH value (default 4096). As the MAX_PASSWORD_LENGTH field is globally mutable it could be modified to restrict all passwords to length = 1. This scenario might be unlikely but generally speaking we should not try to 'fix' invalid input and continue on processing as if nothing happened. If this is exploitable it will need a CVE, if not we should still harden it so it can't be monkeyed with in the future. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1175904/+subscriptions