From 13b4572a2f58231272c7f40add706d561ecf4855 Mon Sep 17 00:00:00 2001
From: Daniel Friesel <derf@finalrewind.org>
Date: Mon, 7 Mar 2022 18:12:43 +0100
Subject: limit password length to 10000 characters
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

that should be sufficient…
---
 lib/Travelynx.pm                    | 2 +-
 lib/Travelynx/Controller/Account.pm | 2 +-
 templates/change_password.html.ep   | 4 ++--
 templates/register.html.ep          | 4 ++--
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/lib/Travelynx.pm b/lib/Travelynx.pm
index 49c1399..eec16ca 100755
--- a/lib/Travelynx.pm
+++ b/lib/Travelynx.pm
@@ -36,7 +36,7 @@ use XML::LibXML;
 sub check_password {
 	my ( $password, $hash ) = @_;
 
-	if ( bcrypt( $password, $hash ) eq $hash ) {
+	if ( bcrypt( substr( $password, 0, 10000 ), $hash ) eq $hash ) {
 		return 1;
 	}
 	return 0;
diff --git a/lib/Travelynx/Controller/Account.pm b/lib/Travelynx/Controller/Account.pm
index 0435d51..97ea8ad 100644
--- a/lib/Travelynx/Controller/Account.pm
+++ b/lib/Travelynx/Controller/Account.pm
@@ -13,7 +13,7 @@ sub hash_password {
 	my @salt_bytes = map { int( rand(255) ) + 1 } ( 1 .. 16 );
 	my $salt       = en_base64( pack( 'C[16]', @salt_bytes ) );
 
-	return bcrypt( $password, '$2a$12$' . $salt );
+	return bcrypt( substr( $password, 0, 10000 ), '$2a$12$' . $salt );
 }
 
 sub make_token {
diff --git a/templates/change_password.html.ep b/templates/change_password.html.ep
index 29aa621..c49226a 100644
--- a/templates/change_password.html.ep
+++ b/templates/change_password.html.ep
@@ -15,12 +15,12 @@
 	<div class="row">
 		<div class="input-field col l6 m12 s12">
 			<i class="material-icons prefix">lock</i>
-			%= password_field 'newpw', id => 'password', class => 'validate', required => undef, minlength => 8, autocomplete => 'new-password'
+			%= password_field 'newpw', id => 'password', class => 'validate', required => undef, minlength => 8, maxlength => 10000, autocomplete => 'new-password'
 			<label for="password">Neues Passwort</label>
 		</div>
 		<div class="input-field col l6 m12 s12">
 			<i class="material-icons prefix">lock</i>
-			%= password_field 'newpw2', id => 'password2', class => 'validate', required => undef, minlength => 8, autocomplete => 'new-password'
+			%= password_field 'newpw2', id => 'password2', class => 'validate', required => undef, minlength => 8, maxlength => 10000, autocomplete => 'new-password'
 			<label for="password2">Passwort wiederholen</label>
 		</div>
 	</div>
diff --git a/templates/register.html.ep b/templates/register.html.ep
index c27b591..7aba55a 100644
--- a/templates/register.html.ep
+++ b/templates/register.html.ep
@@ -17,12 +17,12 @@
 		</div>
 		<div class="input-field col l6 m12 s12">
 			<i class="material-icons prefix">lock</i>
-			%= password_field 'password', id => 'password', class => 'validate', required => undef, minlength => 8, autocomplete => 'new-password'
+			%= password_field 'password', id => 'password', class => 'validate', required => undef, minlength => 8, maxlength => 10000, autocomplete => 'new-password'
 			<label for="password">Passwort</label>
 		</div>
 		<div class="input-field col l6 m12 s12">
 			<i class="material-icons prefix">lock</i>
-			%= password_field 'password2', id => 'password2', class => 'validate', required => undef, minlength => 8, autocomplete => 'new-password'
+			%= password_field 'password2', id => 'password2', class => 'validate', required => undef, minlength => 8, maxlength => 10000, autocomplete => 'new-password'
 			<label for="password2">Passwort wiederholen</label>
 		</div>
 	</div>
-- 
cgit v1.2.3