The denial-of-service fixes from https://www.drupal.org/SA-CORE-2014-006 look like they would be relevant to Drupal 8 too and need to be ported there.
See the password.inc changes from http://cgit.drupalcode.org/drupal/commit/?id=81586d9e9d04dcee487c50de426... (and also the related tests).
Patch credit (for the Drupal 7 fix): klausi, pwolanin, Heine, tsphethean
Comment | File | Size | Author |
---|---|---|---|
#7 | password-length-2378703-7-interdiff.txt | 618 bytes | Berdir |
#7 | password-length-2378703-7.patch | 2.94 KB | Berdir |
Comments
Comment #1
David_Rothstein CreditAttribution: David_Rothstein commentedAdding link to the related issue for the other half of the security advisory.
Comment #2
David_Rothstein CreditAttribution: David_Rothstein commentedComment #3
BerdirWorking on this.
Comment #4
BerdirPorted the fix and the tests.
Comment #6
klausiCool, almost ready!
Doc block missing, something like "Provides the test matrix for testLongPassword()."
Comment #7
BerdirWasn't sure what to add as comment and if at all, we have a lot of undocumented data providers methods. But your suggestion works for me ;)
Comment #8
klausiThanks, looks good.
Comment #9
catchCommitted/pushed to 8.0.x, thanks!