web2py 2.6.3 is OUT (security update)

[Massimo Di Pierro]

This is very similar to 2.6.1 but fixes some problem with a missing admin file (also fixed in 2.6.2) and a potential DoS security issue.

The issue was first discovered in Django https://www.djangoproject.com/weblog/2013/sep/15/security/ 

We thank them for discovering and reporting it.

In web2py 2.5.x and earlier we suffer from the same problem. This is because while the default password validator checks for length, the check is performed after hashing, before inserting the hashed password in database. In 2.6.1/2 we have a different implementation of the hashing algorithm and we do not know how severe the problem is.

In any case 2.6.3 fixes the problem by truncating the password to 1024 chars when passed to the CRYPT validator.

You should upgrade.

Massimo

[Raul Monares]

Thanks Massimo

[samuel bonill]

+1

[黄祥]

great, very responsive. thank you so much

[Michael Jackson]

I am experiencing an issue with one of the experimental features. In db.py I have auth.settings.manager_group_role = 'SuperUser' . This was working for me in 2.5.1 but now I am getting a ticket saying that manager_group_role doesn't exist. Was this removed or changed?

Thanks,

Michael

[Massimo Di Pierro]

We called it: auth.settings.auth_manager_role