From 048a9ebb6ea468426cb4e57c71572cbbd975517f Mon Sep 17 00:00:00 2001 From: Mariusz Felisiak Date: Tue, 17 Oct 2023 11:48:32 +0200 Subject: [4.2.x] Fixed CVE-2023-46695 -- Fixed potential DoS in UsernameField on Windows. Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report. --- tests/auth_tests/test_forms.py | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'tests') diff --git a/tests/auth_tests/test_forms.py b/tests/auth_tests/test_forms.py index 7a80adbf31..81c56a428e 100644 --- a/tests/auth_tests/test_forms.py +++ b/tests/auth_tests/test_forms.py @@ -14,6 +14,7 @@ from django.contrib.auth.forms import ( SetPasswordForm, UserChangeForm, UserCreationForm, + UsernameField, ) from django.contrib.auth.models import User from django.contrib.auth.signals import user_login_failed @@ -154,6 +155,12 @@ class BaseUserCreationFormTest(TestDataMixin, TestCase): self.assertNotEqual(user.username, ohm_username) self.assertEqual(user.username, "testΩ") # U+03A9 GREEK CAPITAL LETTER OMEGA + def test_invalid_username_no_normalize(self): + field = UsernameField(max_length=254) + # Usernames are not normalized if they are too long. + self.assertEqual(field.to_python("½" * 255), "½" * 255) + self.assertEqual(field.to_python("ff" * 254), "ff" * 254) + def test_duplicate_normalized_unicode(self): """ To prevent almost identical usernames, visually identical but differing -- cgit v1.3