From cba28c39ad63920c05241f59ce7e1ad6b47039df Mon Sep 17 00:00:00 2001
From: Joas Schilling <nickvergessen@gmx.de>
Date: Fri, 27 Sep 2013 01:18:28 +0200
Subject: [PATCH] [ticket/11873] Do not hash very large passwords in order to
 safe resources.

PHPBB3-11873
---
 phpBB/includes/functions.php | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php
index b2b12c1445..eef4ade4e7 100644
--- a/phpBB/includes/functions.php
+++ b/phpBB/includes/functions.php
@@ -502,6 +502,13 @@ function phpbb_hash($password)
 */
 function phpbb_check_hash($password, $hash)
 {
+	if (strlen($password) > 4096)
+	{
+		// If the password is too huge, we will simply reject it
+		// and not let the server try to hash it.
+		return false;
+	}
+
 	$itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
 	if (strlen($hash) == 34)
 	{