From 86125bf06d8d795fbfd1ac504db0721dbd3c7af6 Mon Sep 17 00:00:00 2001
From: Antonio de la Rosa <webmaster@web-t-sys.com>
Date: Thu, 17 Nov 2016 05:10:26 +0100
Subject: [PATCH] Little security fix for avoid ddos password attack if not
 using bcrypt encrypting

---
 src/CoreFields/PasswordField.php | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/CoreFields/PasswordField.php b/src/CoreFields/PasswordField.php
index db09b1f..0cec68d 100644
--- a/src/CoreFields/PasswordField.php
+++ b/src/CoreFields/PasswordField.php
@@ -63,11 +63,15 @@ class PasswordField extends CharField {
             
             $this->error=1;
 		
-            $this->std_error=I18n::lang('common', 'error_null_password', 'Bcrypt have problems using null characters...');
+            $this->std_error=I18n::lang('common', 'error_null_password', 'Password not valid');
             
             return '';
             
         }
+        
+        //Cut the password if is longer than 128 characters. If password_hash use a different password system to bcrypt (have a 72 character limit) is useful for stop ddos passwords attack. 
+        
+        $value=substr ($value, 0, 128);
 		
 		$hash_password=password_hash($value, PASSWORD_DEFAULT);