[4.1.x] Fixed CVE-2023-46695 -- Fixed potential DoS in UsernameField on Windows.

Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
author: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2023-10-17 11:48:32 +0200
committer: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2023-11-01 06:26:16 +0100
commit: 4965bfdde2e5a5c883685019e57d123a3368a75e (patch)
tree: 5a513d89b582104dcbcb8513c1abf62009ff993e /django
parent: 8581d916899ccd4fe4c09742c9b2b2d2bf3cc457 (diff)
1 files changed, 9 insertions, 1 deletions
diff --git a/django/contrib/auth/forms.py b/django/contrib/auth/forms.py
index 9d6a9918bb..1d23bcc57a 100644
--- a/django/contrib/auth/forms.py
+++ b/django/contrib/auth/forms.py
@@ -71,7 +71,15 @@ class ReadOnlyPasswordHashField(forms.Field):
 
 class UsernameField(forms.CharField):
     def to_python(self, value):
-        return unicodedata.normalize("NFKC", super().to_python(value))
+        value = super().to_python(value)
+        if self.max_length is not None and len(value) > self.max_length:
+            # Normalization can increase the string length (e.g.
+            # "ﬀ" -> "ff", "½" -> "1⁄2") but cannot reduce it, so there is no
+            # point in normalizing invalid data. Moreover, Unicode
+            # normalization is very slow on Windows and can be a DoS attack
+            # vector.
+            return value
+        return unicodedata.normalize("NFKC", value)
 
     def widget_attrs(self, widget):
         return {
author	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2023-10-17 11:48:32 +0200
committer	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2023-11-01 06:26:16 +0100
commit	4965bfdde2e5a5c883685019e57d123a3368a75e (patch)
tree	5a513d89b582104dcbcb8513c1abf62009ff993e /django
parent	8581d916899ccd4fe4c09742c9b2b2d2bf3cc457 (diff)