Fixed CVE-2024-56374 -- Mitigated potential DoS in IPv6 validation.

Thanks Saravana Kumar for the report, and Sarah Boyce and Mariusz
Felisiak for the reviews.

Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>

1 files changed, 16 insertions, 3 deletions

diff --git a/django/utils/ipv6.py b/django/utils/ipv6.py
index 8b691b5e66..1b79d52226 100644
--- a/django/utils/ipv6.py
+++ b/django/utils/ipv6.py
@@ -3,9 +3,22 @@ import ipaddress
 from django.core.exceptions import ValidationError
 from django.utils.translation import gettext_lazy as _
 
+MAX_IPV6_ADDRESS_LENGTH = 39
+
+
+def _ipv6_address_from_str(ip_str, max_length=MAX_IPV6_ADDRESS_LENGTH):
+    if len(ip_str) > max_length:
+        raise ValueError(
+            f"Unable to convert {ip_str} to an IPv6 address (value too long)."
+        )
+    return ipaddress.IPv6Address(int(ipaddress.IPv6Address(ip_str)))
+
 
 def clean_ipv6_address(
-    ip_str, unpack_ipv4=False, error_message=_("This is not a valid IPv6 address.")
+    ip_str,
+    unpack_ipv4=False,
+    error_message=_("This is not a valid IPv6 address."),
+    max_length=MAX_IPV6_ADDRESS_LENGTH,
 ):
     """
     Clean an IPv6 address string.
@@ -24,7 +37,7 @@ def clean_ipv6_address(
     Return a compressed IPv6 address or the same value.
     """
     try:
-        addr = ipaddress.IPv6Address(int(ipaddress.IPv6Address(ip_str)))
+        addr = _ipv6_address_from_str(ip_str, max_length)
     except ValueError:
         raise ValidationError(
             error_message, code="invalid", params={"protocol": _("IPv6")}
@@ -43,7 +56,7 @@ def is_valid_ipv6_address(ip_str):
     Return whether or not the `ip_str` string is a valid IPv6 address.
     """
     try:
-        ipaddress.IPv6Address(ip_str)
+        _ipv6_address_from_str(ip_str)
     except ValueError:
         return False
     return True