Limited decrypt to 256 characters in Mage_Core_Model_Encryption (#2685)

app/code/core/Mage/Core/Model/Encryption.php

@@ -37,10 +37,16 @@ class Mage_Core_Model_Encryption
      */
     public const HASH_VERSION_LATEST = 3;
 
+    /**
+     * Maximum Password Length
+     */
+    public const MAXIMUM_PASSWORD_LENGTH = 256;
+
     /**
      * @var Varien_Crypt_Mcrypt
      */
     protected $_crypt;
+
     /**
      * @var Mage_Core_Helper_Data
      */
@@ -126,6 +132,10 @@ public function hash($data, $version = self::HASH_VERSION_MD5)
      */
     public function validateHash($password, $hash)
     {
+        if (strlen($password) > self::MAXIMUM_PASSWORD_LENGTH) {
+            return false;
+        }
+
         return $this->validateHashByVersion($password, $hash, self::HASH_VERSION_LATEST)
             || $this->validateHashByVersion($password, $hash, self::HASH_VERSION_SHA512)
             || $this->validateHashByVersion($password, $hash, self::HASH_VERSION_SHA256)