[ticket/11873] Do not hash very large passwords in order to safe resources.

PHPBB3-11873
2025-05-29 02:29:21 +02:00 · 2013-09-27 01:18:28 +02:00 · 2013-09-27 01:18:28 +02:00 · cba28c39ad
commit cba28c39ad
parent d18bded3ac
1 changed files with 7 additions and 0 deletions
--- a/phpBB/includes/functions.php
+++ b/phpBB/includes/functions.php
@ -502,6 +502,13 @@ function phpbb_hash($password)
 */
 function phpbb_check_hash($password, $hash)
 {
+	if (strlen($password) > 4096)
+	{
+		// If the password is too huge, we will simply reject it
+		// and not let the server try to hash it.
+		return false;
+	}
+
 	$itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
 	if (strlen($hash) == 34)
 	{