Limit maximum length of passwords to 4096 characters

2026-05-05 15:14:04 +00:00 · 2022-01-25 17:24:48 +01:00
parent 73ab962e16
commit 4262bce2b5
3 changed files with 13 additions and 2 deletions
--- a/src/pretix/base/auth.py
+++ b/src/pretix/base/auth.py
@@ -146,7 +146,8 @@ class NativeAuthBackend(BaseAuthBackend):
        d = OrderedDict([
            ('email', forms.EmailField(label=_("E-mail"), max_length=254,
                                       widget=forms.EmailInput(attrs={'autofocus': 'autofocus'}))),
-            ('password', forms.CharField(label=_("Password"), widget=forms.PasswordInput)),
+            ('password', forms.CharField(label=_("Password"), widget=forms.PasswordInput,
+                                         max_length=4096)),
        ])
        return d

--- a/src/pretix/base/forms/auth.py
+++ b/src/pretix/base/forms/auth.py
@@ -154,6 +154,7 @@ class RegistrationForm(forms.Form):
        widget=forms.PasswordInput(attrs={
            'autocomplete': 'new-password'  # see https://bugs.chromium.org/p/chromium/issues/detail?id=370363#c7
        }),
+        max_length=4096,
        required=True
    )
    password_repeat = forms.CharField(
@@ -161,6 +162,7 @@ class RegistrationForm(forms.Form):
        widget=forms.PasswordInput(attrs={
            'autocomplete': 'new-password'  # see https://bugs.chromium.org/p/chromium/issues/detail?id=370363#c7
        }),
+        max_length=4096,
        required=True
    )
    keep_logged_in = forms.BooleanField(label=_("Keep me logged in"), required=False)
@@ -204,11 +206,13 @@ class PasswordRecoverForm(forms.Form):
    password = forms.CharField(
        label=_('Password'),
        widget=forms.PasswordInput,
+        max_length=4096,
        required=True
    )
    password_repeat = forms.CharField(
        label=_('Repeat password'),
-        widget=forms.PasswordInput
+        widget=forms.PasswordInput,
+        max_length=4096,
    )

    def __init__(self, user_id=None, *args, **kwargs):
--- a/src/pretix/presale/forms/customer.py
+++ b/src/pretix/presale/forms/customer.py
@@ -58,6 +58,7 @@ class AuthenticationForm(forms.Form):
        label=_("Password"),
        strip=False,
        widget=forms.PasswordInput(attrs={'autocomplete': 'current-password'}),
+        max_length=4096,
    )

    error_messages = {
@@ -251,11 +252,13 @@ class SetPasswordForm(forms.Form):
    password = forms.CharField(
        label=_('Password'),
        widget=forms.PasswordInput(attrs={'minlength': '8', 'autocomplete': 'new-password'}),
+        max_length=4096,
        required=True
    )
    password_repeat = forms.CharField(
        label=_('Repeat password'),
        widget=forms.PasswordInput(attrs={'minlength': '8', 'autocomplete': 'new-password'}),
+        max_length=4096,
    )

    def __init__(self, customer=None, *args, **kwargs):
@@ -343,11 +346,13 @@ class ChangePasswordForm(forms.Form):
    password = forms.CharField(
        label=_('New password'),
        widget=forms.PasswordInput,
+        max_length=4096,
        required=True
    )
    password_repeat = forms.CharField(
        label=_('Repeat password'),
        widget=forms.PasswordInput(attrs={'minlength': '8', 'autocomplete': 'new-password'}),
+        max_length=4096,
    )

    def __init__(self, customer, *args, **kwargs):
@@ -406,6 +411,7 @@ class ChangeInfoForm(forms.ModelForm):
        label=_('Your current password'),
        widget=forms.PasswordInput,
        help_text=_('Only required if you change your email address'),
+        max_length=4096,
        required=False
    )