diff options
| author | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2023-06-14 12:23:06 +0200 |
|---|---|---|
| committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2023-07-03 08:27:05 +0200 |
| commit | beb3f3d55940d9aa7198bf9d424ab74e873aec3d (patch) | |
| tree | 9f2a1ec68609b0e1936fe5942697ef0431065d5d /django/core/validators.py | |
| parent | 3b48fe413f91612fb8c43fe9d489860d10c84bf7 (diff) | |
[4.1.x] Fixed CVE-2023-36053 -- Prevented potential ReDoS in EmailValidator and URLValidator.
Thanks Seokchan Yoon for reports.
Diffstat (limited to 'django/core/validators.py')
| -rw-r--r-- | django/core/validators.py | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/django/core/validators.py b/django/core/validators.py index 473203a67e..4dae05eb5c 100644 --- a/django/core/validators.py +++ b/django/core/validators.py @@ -104,6 +104,7 @@ class URLValidator(RegexValidator): message = _("Enter a valid URL.") schemes = ["http", "https", "ftp", "ftps"] unsafe_chars = frozenset("\t\r\n") + max_length = 2048 def __init__(self, schemes=None, **kwargs): super().__init__(**kwargs) @@ -111,7 +112,7 @@ class URLValidator(RegexValidator): self.schemes = schemes def __call__(self, value): - if not isinstance(value, str): + if not isinstance(value, str) or len(value) > self.max_length: raise ValidationError(self.message, code=self.code, params={"value": value}) if self.unsafe_chars.intersection(value): raise ValidationError(self.message, code=self.code, params={"value": value}) @@ -203,7 +204,9 @@ class EmailValidator: self.domain_allowlist = allowlist def __call__(self, value): - if not value or "@" not in value: + # The maximum length of an email is 320 characters per RFC 3696 + # section 3. + if not value or "@" not in value or len(value) > 320: raise ValidationError(self.message, code=self.code, params={"value": value}) user_part, domain_part = value.rsplit("@", 1) |