Noticed this old post about django, http://threatpost.com/patches-for-django-framework-fix-dos-vulnerability/102323, and we should probably account for it before we have pbkdf2 out there. With the old md5 hashing, this poc took just a few hundred ms. With pbdkf2, I hit max execution time.
> perl -e "print 'lgpassword=' . 'A'x1024x1024" > pw.txt
> curl -b './pw.cookie' -c './pw.cookie' -d action=login -d lgname=NormalUser -d lgtoken=df405afa01896b61b40229c86baef771 --data @pw.txt 'http://localhost/wiki/api.php?format=json'
It's a quick fix to limit the password input to 4096 (or even 10,000 if we wanted). Just something less the max post size.
--------------------------
**Version**: unspecified
**Severity**: normal
**Patch**: {F31022}
- 1.24: (needed)
**Affected Versions**: Since 95a8974c6bda2c6353612c40b01b9c78527b8956 (1.24)
**Type**: DoS
**CVE**: (needed)