1379702 - No length defined ( For Setting Password )

Status: RESOLVED FIXED

(bugzilla.mozilla.org :: Extensions, defect)

Description

[Raja Uzair Abdullah]

User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0
Build ID: 20170628075643

Steps to reproduce:

I just setup Password with length of 110600 chars 


Actual results:

This will take more space then ordinary passwords in mozilla Server Side


Expected results:

This could lead to the taking more space in Server Side of Mozilla and Could lead to Danial Of Service while Validating Password chars by chars

Comment 1

[Raja Uzair Abdullah]

Its missing Best Practice Vulnerability  (with Limited Impact).

Comment 2

[Emma Humphries ☕️🎸🧞‍♀️✨ (she/they) [:emceeaich] (Pacific Time) use needinfo]

Moving to security while asking for review.

Comment 3

[Dylan Hardison [:dylan] (he/him)]

Passwords are hashed, it doesn't matter how long they are.
The password being huge is not appreciably different than any other field being very big,
so in theory the request would be huge.

Comment 4

[Dylan Hardison [:dylan] (he/him)]

This is a dupe of something, I'll figure it out in the morning. Or maybe someone else can.

Comment 5

[Jonathan Claudius [:claudijd] (use NEEDINFO)]

This does not appear to be a security related bug to me.  I believe dylan has this nailed down with comment 3.

Comment 6

[Raja Uzair Abdullah]

I know,I just found a Missing Best Practice Bug as I Mentioned  in Comment 1

Comment 7

[Dylan Hardison [:dylan] (he/him)]

passwdqc now enforces some very large maximum.

Comment 8

[rajauzairabdullah]

Any HOF chances? i had reported XSS stored but marked as self and too given HOF

Comment 9

[Jonathan Claudius [:claudijd] (use NEEDINFO)]

rajauzairabdullah: Not in this case, we don't assess any security impact to the site or it's users as a result of this.  Thanks for asking though.