[4.2.x] Fixed CVE-2023-46695 -- Fixed potential DoS in UsernameField on Windows.

Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
author: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2023-10-17 11:48:32 +0200
committer: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2023-11-01 06:19:20 +0100
commit: 048a9ebb6ea468426cb4e57c71572cbbd975517f (patch)
tree: 81e8da018997af0fc97d48f4a9c36f6b0d68688d /django/contrib/auth/forms.py
parent: 3fae5d92da84382483fe48cc62c1f57789b47196 (diff)
1 files changed, 9 insertions, 1 deletions
diff --git a/django/contrib/auth/forms.py b/django/contrib/auth/forms.py
index eaae0bf695..061dc81b42 100644
--- a/django/contrib/auth/forms.py
+++ b/django/contrib/auth/forms.py
@@ -71,7 +71,15 @@ class ReadOnlyPasswordHashField(forms.Field):
 
 class UsernameField(forms.CharField):
     def to_python(self, value):
-        return unicodedata.normalize("NFKC", super().to_python(value))
+        value = super().to_python(value)
+        if self.max_length is not None and len(value) > self.max_length:
+            # Normalization can increase the string length (e.g.
+            # "ﬀ" -> "ff", "½" -> "1⁄2") but cannot reduce it, so there is no
+            # point in normalizing invalid data. Moreover, Unicode
+            # normalization is very slow on Windows and can be a DoS attack
+            # vector.
+            return value
+        return unicodedata.normalize("NFKC", value)
 
     def widget_attrs(self, widget):
         return {
author	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2023-10-17 11:48:32 +0200
committer	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2023-11-01 06:19:20 +0100
commit	048a9ebb6ea468426cb4e57c71572cbbd975517f (patch)
tree	81e8da018997af0fc97d48f4a9c36f6b0d68688d /django/contrib/auth/forms.py
parent	3fae5d92da84382483fe48cc62c1f57789b47196 (diff)