diff options
| author | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2023-06-14 12:23:06 +0200 |
|---|---|---|
| committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2023-07-03 08:32:26 +0200 |
| commit | 454f2fb93437f98917283336201b4048293f7582 (patch) | |
| tree | 6c0c1bf6d7b1c5c367cd4928a4d7e6e10638d7b9 /django/core/validators.py | |
| parent | 07cc014cb30bc3c343a25c81aad6820bbc72c0d9 (diff) | |
[3.2.x] Fixed CVE-2023-36053 -- Prevented potential ReDoS in EmailValidator and URLValidator.
Thanks Seokchan Yoon for reports.
Diffstat (limited to 'django/core/validators.py')
| -rw-r--r-- | django/core/validators.py | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/django/core/validators.py b/django/core/validators.py index 731ccf2d46..b9b58dfa61 100644 --- a/django/core/validators.py +++ b/django/core/validators.py @@ -93,6 +93,7 @@ class URLValidator(RegexValidator): message = _('Enter a valid URL.') schemes = ['http', 'https', 'ftp', 'ftps'] unsafe_chars = frozenset('\t\r\n') + max_length = 2048 def __init__(self, schemes=None, **kwargs): super().__init__(**kwargs) @@ -100,7 +101,7 @@ class URLValidator(RegexValidator): self.schemes = schemes def __call__(self, value): - if not isinstance(value, str): + if not isinstance(value, str) or len(value) > self.max_length: raise ValidationError(self.message, code=self.code, params={'value': value}) if self.unsafe_chars.intersection(value): raise ValidationError(self.message, code=self.code, params={'value': value}) @@ -210,7 +211,9 @@ class EmailValidator: self.domain_allowlist = allowlist def __call__(self, value): - if not value or '@' not in value: + # The maximum length of an email is 320 characters per RFC 3696 + # section 3. + if not value or '@' not in value or len(value) > 320: raise ValidationError(self.message, code=self.code, params={'value': value}) user_part, domain_part = value.rsplit('@', 1) |