diff options
| author | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2023-06-14 12:23:06 +0200 |
|---|---|---|
| committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2023-07-03 08:19:23 +0200 |
| commit | b7c5feb35a31799de6e582ad6a5a91a9de74e0f9 (patch) | |
| tree | e1f30c69b702a3e042b67fefffd93dba749a7808 | |
| parent | 1ea11365f61a78051e196e6123d5f987efa90df1 (diff) | |
[4.2.x] Fixed CVE-2023-36053 -- Prevented potential ReDoS in EmailValidator and URLValidator.
Thanks Seokchan Yoon for reports.
| -rw-r--r-- | django/core/validators.py | 7 | ||||
| -rw-r--r-- | django/forms/fields.py | 3 | ||||
| -rw-r--r-- | docs/ref/forms/fields.txt | 7 | ||||
| -rw-r--r-- | docs/ref/validators.txt | 25 | ||||
| -rw-r--r-- | docs/releases/3.2.20.txt | 7 | ||||
| -rw-r--r-- | docs/releases/4.1.10.txt | 7 | ||||
| -rw-r--r-- | docs/releases/4.2.3.txt | 7 | ||||
| -rw-r--r-- | tests/forms_tests/field_tests/test_emailfield.py | 3 | ||||
| -rw-r--r-- | tests/forms_tests/tests/test_deprecation_forms.py | 3 | ||||
| -rw-r--r-- | tests/forms_tests/tests/test_forms.py | 19 | ||||
| -rw-r--r-- | tests/validators/tests.py | 3 |
11 files changed, 75 insertions, 16 deletions
diff --git a/django/core/validators.py b/django/core/validators.py index c73490588d..4a5835dbb0 100644 --- a/django/core/validators.py +++ b/django/core/validators.py @@ -104,6 +104,7 @@ class URLValidator(RegexValidator): message = _("Enter a valid URL.") schemes = ["http", "https", "ftp", "ftps"] unsafe_chars = frozenset("\t\r\n") + max_length = 2048 def __init__(self, schemes=None, **kwargs): super().__init__(**kwargs) @@ -111,7 +112,7 @@ class URLValidator(RegexValidator): self.schemes = schemes def __call__(self, value): - if not isinstance(value, str): + if not isinstance(value, str) or len(value) > self.max_length: raise ValidationError(self.message, code=self.code, params={"value": value}) if self.unsafe_chars.intersection(value): raise ValidationError(self.message, code=self.code, params={"value": value}) @@ -203,7 +204,9 @@ class EmailValidator: self.domain_allowlist = allowlist def __call__(self, value): - if not value or "@" not in value: + # The maximum length of an email is 320 characters per RFC 3696 + # section 3. + if not value or "@" not in value or len(value) > 320: raise ValidationError(self.message, code=self.code, params={"value": value}) user_part, domain_part = value.rsplit("@", 1) diff --git a/django/forms/fields.py b/django/forms/fields.py index 46de2f53a0..01cd831964 100644 --- a/django/forms/fields.py +++ b/django/forms/fields.py @@ -609,6 +609,9 @@ class EmailField(CharField): default_validators = [validators.validate_email] def __init__(self, **kwargs): + # The default maximum length of an email is 320 characters per RFC 3696 + # section 3. + kwargs.setdefault("max_length", 320) super().__init__(strip=True, **kwargs) diff --git a/docs/ref/forms/fields.txt b/docs/ref/forms/fields.txt index 6954e3819d..1e4f8f957e 100644 --- a/docs/ref/forms/fields.txt +++ b/docs/ref/forms/fields.txt @@ -592,7 +592,12 @@ For each field, we describe the default widget used if you don't specify * Error message keys: ``required``, ``invalid`` Has the optional arguments ``max_length``, ``min_length``, and - ``empty_value`` which work just as they do for :class:`CharField`. + ``empty_value`` which work just as they do for :class:`CharField`. The + ``max_length`` argument defaults to 320 (see :rfc:`3696#section-3`). + + .. versionchanged:: 3.2.20 + + The default value for ``max_length`` was changed to 320 characters. ``FileField`` ------------- diff --git a/docs/ref/validators.txt b/docs/ref/validators.txt index f63d100a26..327951a990 100644 --- a/docs/ref/validators.txt +++ b/docs/ref/validators.txt @@ -133,6 +133,11 @@ to, or in lieu of custom ``field.clean()`` methods. :param code: If not ``None``, overrides :attr:`code`. :param allowlist: If not ``None``, overrides :attr:`allowlist`. + An :class:`EmailValidator` ensures that a value looks like an email, and + raises a :exc:`~django.core.exceptions.ValidationError` with + :attr:`message` and :attr:`code` if it doesn't. Values longer than 320 + characters are always considered invalid. + .. attribute:: message The error message used by @@ -154,13 +159,19 @@ to, or in lieu of custom ``field.clean()`` methods. validation, so you'd need to add them to the ``allowlist`` as necessary. + .. versionchanged:: 3.2.20 + + In older versions, values longer than 320 characters could be + considered valid. + ``URLValidator`` ---------------- .. class:: URLValidator(schemes=None, regex=None, message=None, code=None) A :class:`RegexValidator` subclass that ensures a value looks like a URL, - and raises an error code of ``'invalid'`` if it doesn't. + and raises an error code of ``'invalid'`` if it doesn't. Values longer than + :attr:`max_length` characters are always considered invalid. Loopback addresses and reserved IP spaces are considered valid. Literal IPv6 addresses (:rfc:`3986#section-3.2.2`) and Unicode domains are both @@ -177,6 +188,18 @@ to, or in lieu of custom ``field.clean()`` methods. .. _valid URI schemes: https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml + .. attribute:: max_length + + .. versionadded:: 3.2.20 + + The maximum length of values that could be considered valid. Defaults + to 2048 characters. + + .. versionchanged:: 3.2.20 + + In older versions, values longer than 2048 characters could be + considered valid. + ``validate_email`` ------------------ diff --git a/docs/releases/3.2.20.txt b/docs/releases/3.2.20.txt index e4ef914394..c8f60a70e2 100644 --- a/docs/releases/3.2.20.txt +++ b/docs/releases/3.2.20.txt @@ -6,4 +6,9 @@ Django 3.2.20 release notes Django 3.2.20 fixes a security issue with severity "moderate" in 3.2.19. -... +CVE-2023-36053: Potential regular expression denial of service vulnerability in ``EmailValidator``/``URLValidator`` +=================================================================================================================== + +``EmailValidator`` and ``URLValidator`` were subject to potential regular +expression denial of service attack via a very large number of domain name +labels of emails and URLs. diff --git a/docs/releases/4.1.10.txt b/docs/releases/4.1.10.txt index 8aaa9723c8..06c99d0e34 100644 --- a/docs/releases/4.1.10.txt +++ b/docs/releases/4.1.10.txt @@ -6,4 +6,9 @@ Django 4.1.10 release notes Django 4.1.10 fixes a security issue with severity "moderate" in 4.1.9. -... +CVE-2023-36053: Potential regular expression denial of service vulnerability in ``EmailValidator``/``URLValidator`` +=================================================================================================================== + +``EmailValidator`` and ``URLValidator`` were subject to potential regular +expression denial of service attack via a very large number of domain name +labels of emails and URLs. diff --git a/docs/releases/4.2.3.txt b/docs/releases/4.2.3.txt index 835de58116..c105849739 100644 --- a/docs/releases/4.2.3.txt +++ b/docs/releases/4.2.3.txt @@ -7,6 +7,13 @@ Django 4.2.3 release notes Django 4.2.3 fixes a security issue with severity "moderate" and several bugs in 4.2.2. +CVE-2023-36053: Potential regular expression denial of service vulnerability in ``EmailValidator``/``URLValidator`` +=================================================================================================================== + +``EmailValidator`` and ``URLValidator`` were subject to potential regular +expression denial of service attack via a very large number of domain name +labels of emails and URLs. + Bugfixes ======== diff --git a/tests/forms_tests/field_tests/test_emailfield.py b/tests/forms_tests/field_tests/test_emailfield.py index 869a1aacc5..079267ca8b 100644 --- a/tests/forms_tests/field_tests/test_emailfield.py +++ b/tests/forms_tests/field_tests/test_emailfield.py @@ -8,8 +8,9 @@ from . import FormFieldAssertionsMixin class EmailFieldTest(FormFieldAssertionsMixin, SimpleTestCase): def test_emailfield_1(self): f = EmailField() + self.assertEqual(f.max_length, 320) self.assertWidgetRendersTo( - f, '<input type="email" name="f" id="id_f" required>' + f, '<input type="email" name="f" id="id_f" maxlength="320" required>' ) with self.assertRaisesMessage(ValidationError, "'This field is required.'"): f.clean("") diff --git a/tests/forms_tests/tests/test_deprecation_forms.py b/tests/forms_tests/tests/test_deprecation_forms.py index 2a4fb6b0e1..d63e83f3cd 100644 --- a/tests/forms_tests/tests/test_deprecation_forms.py +++ b/tests/forms_tests/tests/test_deprecation_forms.py @@ -65,7 +65,8 @@ class DeprecatedTests(SimpleTestCase): '<p>Name: <input type="text" name="name" maxlength="50"></p>' '<div class="errorlist">' '<div class="error">Enter a valid email address.</div></div>' - '<p>Email: <input type="email" name="email" value="invalid" required></p>' + '<p>Email: <input type="email" name="email" value="invalid" ' + 'maxlength="320" required></p>' '<div class="errorlist">' '<div class="error">This field is required.</div></div>' '<p>Comment: <input type="text" name="comment" required></p>', diff --git a/tests/forms_tests/tests/test_forms.py b/tests/forms_tests/tests/test_forms.py index 930a200b14..a73e32902c 100644 --- a/tests/forms_tests/tests/test_forms.py +++ b/tests/forms_tests/tests/test_forms.py @@ -547,7 +547,8 @@ class FormsTestCase(SimpleTestCase): f = SignupForm(auto_id=False) self.assertHTMLEqual( - str(f["email"]), '<input type="email" name="email" required>' + str(f["email"]), + '<input type="email" name="email" maxlength="320" required>', ) self.assertHTMLEqual( str(f["get_spam"]), '<input type="checkbox" name="get_spam" required>' @@ -556,7 +557,8 @@ class FormsTestCase(SimpleTestCase): f = SignupForm({"email": "test@example.com", "get_spam": True}, auto_id=False) self.assertHTMLEqual( str(f["email"]), - '<input type="email" name="email" value="test@example.com" required>', + '<input type="email" name="email" maxlength="320" value="test@example.com" ' + "required>", ) self.assertHTMLEqual( str(f["get_spam"]), @@ -3522,7 +3524,7 @@ Options: <select multiple name="options" required> <option value="false">No</option> </select></li> <li><label for="id_email">Email:</label> - <input type="email" name="email" id="id_email"></li> + <input type="email" name="email" id="id_email" maxlength="320"></li> <li class="required error"><ul class="errorlist"> <li>This field is required.</li></ul> <label class="required" for="id_age">Age:</label> @@ -3544,7 +3546,7 @@ Options: <select multiple name="options" required> <option value="false">No</option> </select></p> <p><label for="id_email">Email:</label> - <input type="email" name="email" id="id_email"></p> + <input type="email" name="email" id="id_email" maxlength="320"></p> <ul class="errorlist"><li>This field is required.</li></ul> <p class="required error"><label class="required" for="id_age">Age:</label> <input type="number" name="age" id="id_age" required></p> @@ -3564,7 +3566,7 @@ Options: <select multiple name="options" required> <option value="false">No</option> </select></td></tr> <tr><th><label for="id_email">Email:</label></th><td> -<input type="email" name="email" id="id_email"></td></tr> +<input type="email" name="email" id="id_email" maxlength="320"></td></tr> <tr class="required error"><th><label class="required" for="id_age">Age:</label></th> <td><ul class="errorlist"><li>This field is required.</li></ul> <input type="number" name="age" id="id_age" required></td></tr>""", @@ -3579,7 +3581,7 @@ Options: <select multiple name="options" required> '<option value="unknown" selected>Unknown</option>' '<option value="true">Yes</option><option value="false">No</option>' '</select></div><div><label for="id_email">Email:</label>' - '<input type="email" name="email" id="id_email" /></div>' + '<input type="email" name="email" id="id_email" maxlength="320"/></div>' '<div class="required error"><label for="id_age" class="required">Age:' '</label><ul class="errorlist"><li>This field is required.</li></ul>' '<input type="number" name="age" required id="id_age" /></div>', @@ -5056,8 +5058,9 @@ class OverrideTests(SimpleTestCase): '<p>Name: <input type="text" name="name" maxlength="50"></p>' '<div class="errorlist">' '<div class="error">Enter a valid email address.</div></div>' - '<p>Email: <input type="email" name="email" value="invalid" required></p>' - '<div class="errorlist">' + "<p>Email: " + '<input type="email" name="email" value="invalid" maxlength="320" required>' + '</p><div class="errorlist">' '<div class="error">This field is required.</div></div>' '<p>Comment: <input type="text" name="comment" required></p>', ) diff --git a/tests/validators/tests.py b/tests/validators/tests.py index 02bee30ac1..e99baab862 100644 --- a/tests/validators/tests.py +++ b/tests/validators/tests.py @@ -106,6 +106,7 @@ VALID_URLS = [ "ddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd" "ddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd" "ddddddddddddddddd:password@example.com:8080", + "http://userid:password" + "d" * 2000 + "@example.aaaaaaaaaaaaa.com", "http://142.42.1.1/", "http://142.42.1.1:8080/", "http://➡.ws/䨹", @@ -236,6 +237,7 @@ INVALID_URLS = [ "aaaaaa.com", "http://example.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaa", + "http://example." + ("a" * 63 + ".") * 1000 + "com", "http://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaa." "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaa" @@ -291,6 +293,7 @@ TEST_DATA = [ (validate_email, "example@%s.%s.atm" % ("a" * 63, "b" * 10), None), (validate_email, "example@atm.%s" % ("a" * 64), ValidationError), (validate_email, "example@%s.atm.%s" % ("b" * 64, "a" * 63), ValidationError), + (validate_email, "example@%scom" % (("a" * 63 + ".") * 100), ValidationError), (validate_email, None, ValidationError), (validate_email, "", ValidationError), (validate_email, "abc", ValidationError), |