[3.2.x] Fixed CVE-2023-46695 -- Fixed potential DoS in UsernameField on Windows.

Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
author: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2023-10-17 11:48:32 +0200
committer: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2023-11-01 06:30:59 +0100
commit: f9a7fb8466a7ba4857eaf930099b5258f3eafb2b (patch)
tree: cfe6adc993d91c910dcc6e54f46c57c1e33e797b /django
parent: e6d2591d9e8a517b891e49de476640ecae93cc41 (diff)
1 files changed, 9 insertions, 1 deletions
diff --git a/django/contrib/auth/forms.py b/django/contrib/auth/forms.py
index 20d8922799..fb7cfda209 100644
--- a/django/contrib/auth/forms.py
+++ b/django/contrib/auth/forms.py
@@ -62,7 +62,15 @@ class ReadOnlyPasswordHashField(forms.Field):
 
 class UsernameField(forms.CharField):
     def to_python(self, value):
-        return unicodedata.normalize('NFKC', super().to_python(value))
+        value = super().to_python(value)
+        if self.max_length is not None and len(value) > self.max_length:
+            # Normalization can increase the string length (e.g.
+            # "ﬀ" -> "ff", "½" -> "1⁄2") but cannot reduce it, so there is no
+            # point in normalizing invalid data. Moreover, Unicode
+            # normalization is very slow on Windows and can be a DoS attack
+            # vector.
+            return value
+        return unicodedata.normalize("NFKC", value)
 
     def widget_attrs(self, widget):
         return {
author	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2023-10-17 11:48:32 +0200
committer	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2023-11-01 06:30:59 +0100
commit	f9a7fb8466a7ba4857eaf930099b5258f3eafb2b (patch)
tree	cfe6adc993d91c910dcc6e54f46c57c1e33e797b /django
parent	e6d2591d9e8a517b891e49de476640ecae93cc41 (diff)