Changes between Version 11 and Version 12 of SecurityTeam
- Timestamp:
- Nov 21, 2025, 6:15:37 AM (2 weeks ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
SecurityTeam
v11 v12 47 47 Thanks for your understanding! 48 48 49 Kind regards, the Django Security Team. 50 49 51 === Unsanitized user input === 52 50 53 After review, we've determined that the reported issue only affects workflows that process user input without sanitization. As documented at [0]: 51 54 … … 58 61 Thanks for taking the time to submit it through the appropriate channel. 59 62 63 Kind regards, the Django Security Team. 64 60 65 === Private API === 66 61 67 After review, we've determined that the reported issue only affects direct usage of private, undocumented functionality. As documented at [0]: 62 68 … … 68 74 69 75 Thanks for taking the time to submit it through the appropriate channel. 76 77 Kind regards, the Django Security Team. 70 78 71 79 === Security issue in the development server (runserver) === … … 83 91 Thanks for taking the time to submit it through the appropriate channel. 84 92 93 Kind regards, the Django Security Team. 94 85 95 [0] https://docs.djangoproject.com/en/stable/ref/django-admin/#django-admin-runserver 86 87 96 [1] https://docs.djangoproject.com/en/stable/internals/security/#how-does-django-evaluate-a-report 88 97 … … 103 112 For further clarification, please see our documentation on performing raw SQL queries: https://docs.djangoproject.com/en/stable/topics/db/sql/#performing-raw-sql-queries 104 113 105 Best, 106 Django Security Team. 114 Kind regards, the Django Security Team. 115 116 === Maximum password validator (lack of) == 117 118 Thank you for your report. We reviewed the issue and do not consider it a security vulnerability. 119 120 While it is true that extremely long passwords could, in theory, increase the cost of password hashing, Django applies a request body size limit [0], which defaults to 2.5 MB. In practice, this means passwords cannot exceed roughly 2.5 million characters.Django's built-in password hashers handle inputs of this size efficiently. On a regular desktop machine, hashing a 2.5 MB password takes on the order of a third of a second. 121 122 For example, running the following plain Python script: 123 {{{#!python 124 import timeit 125 from django.contrib.auth.hashers import get_hasher 126 127 hasher = get_hasher() 128 salt = hasher.salt() 129 password = "x" * 2_621_440 # ~2.5 MB 130 n = 5 # number of runs 131 total_seconds = timeit.timeit(lambda: hasher.encode(password, salt), number=n)avg_ms = (total_seconds / n) * 1000 132 133 print(f"Average time: {avg_ms:.2f} ms over {n} runs") 134 }}} 135 Produces output such as: `Average time: 281.13 ms over 5 runs` 136 137 Given these limits and performance characteristics, and noting that it is generally good practice to permit long and secure passwords, we do not consider any change necessary in Django itself. 138 139 Kind regards, The Django Security Team. 140 141 [0] https://docs.djangoproject.com/en/stable/ref/settings/#data-upload-max-memory-size 107 142 108 143 === Unauthenticated cache purge ===