[4.2.x] Fixed CVE-2023-36053 -- Prevented potential ReDoS in EmailValidator and URLValidator.

Thanks Seokchan Yoon for reports.
author: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2023-06-14 12:23:06 +0200
committer: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2023-07-03 08:19:23 +0200
commit: b7c5feb35a31799de6e582ad6a5a91a9de74e0f9 (patch)
tree: e1f30c69b702a3e042b67fefffd93dba749a7808 /django
parent: 1ea11365f61a78051e196e6123d5f987efa90df1 (diff)
2 files changed, 8 insertions, 2 deletions
diff --git a/django/core/validators.py b/django/core/validators.py
index c73490588d..4a5835dbb0 100644
--- a/django/core/validators.py
+++ b/django/core/validators.py
@@ -104,6 +104,7 @@ class URLValidator(RegexValidator):
     message = _("Enter a valid URL.")
     schemes = ["http", "https", "ftp", "ftps"]
     unsafe_chars = frozenset("\t\r\n")
+    max_length = 2048
 
     def __init__(self, schemes=None, **kwargs):
         super().__init__(**kwargs)
@@ -111,7 +112,7 @@ class URLValidator(RegexValidator):
             self.schemes = schemes
 
     def __call__(self, value):
-        if not isinstance(value, str):
+        if not isinstance(value, str) or len(value) > self.max_length:
             raise ValidationError(self.message, code=self.code, params={"value": value})
         if self.unsafe_chars.intersection(value):
             raise ValidationError(self.message, code=self.code, params={"value": value})
@@ -203,7 +204,9 @@ class EmailValidator:
             self.domain_allowlist = allowlist
 
     def __call__(self, value):
-        if not value or "@" not in value:
+        # The maximum length of an email is 320 characters per RFC 3696
+        # section 3.
+        if not value or "@" not in value or len(value) > 320:
             raise ValidationError(self.message, code=self.code, params={"value": value})
 
         user_part, domain_part = value.rsplit("@", 1)
diff --git a/django/forms/fields.py b/django/forms/fields.py
index 46de2f53a0..01cd831964 100644
--- a/django/forms/fields.py
+++ b/django/forms/fields.py
@@ -609,6 +609,9 @@ class EmailField(CharField):
     default_validators = [validators.validate_email]
 
     def __init__(self, **kwargs):
+        # The default maximum length of an email is 320 characters per RFC 3696
+        # section 3.
+        kwargs.setdefault("max_length", 320)
         super().__init__(strip=True, **kwargs)
author	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2023-06-14 12:23:06 +0200
committer	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2023-07-03 08:19:23 +0200
commit	b7c5feb35a31799de6e582ad6a5a91a9de74e0f9 (patch)
tree	e1f30c69b702a3e042b67fefffd93dba749a7808 /django
parent	1ea11365f61a78051e196e6123d5f987efa90df1 (diff)