diff options
| author | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2023-06-14 12:23:06 +0200 |
|---|---|---|
| committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2023-07-03 08:27:05 +0200 |
| commit | beb3f3d55940d9aa7198bf9d424ab74e873aec3d (patch) | |
| tree | 9f2a1ec68609b0e1936fe5942697ef0431065d5d /docs/ref | |
| parent | 3b48fe413f91612fb8c43fe9d489860d10c84bf7 (diff) | |
[4.1.x] Fixed CVE-2023-36053 -- Prevented potential ReDoS in EmailValidator and URLValidator.
Thanks Seokchan Yoon for reports.
Diffstat (limited to 'docs/ref')
| -rw-r--r-- | docs/ref/forms/fields.txt | 7 | ||||
| -rw-r--r-- | docs/ref/validators.txt | 25 |
2 files changed, 30 insertions, 2 deletions
diff --git a/docs/ref/forms/fields.txt b/docs/ref/forms/fields.txt index 4d0205b4d3..9d523fd9c3 100644 --- a/docs/ref/forms/fields.txt +++ b/docs/ref/forms/fields.txt @@ -561,7 +561,12 @@ For each field, we describe the default widget used if you don't specify * Error message keys: ``required``, ``invalid`` Has the optional arguments ``max_length``, ``min_length``, and - ``empty_value`` which work just as they do for :class:`CharField`. + ``empty_value`` which work just as they do for :class:`CharField`. The + ``max_length`` argument defaults to 320 (see :rfc:`3696#section-3`). + + .. versionchanged:: 3.2.20 + + The default value for ``max_length`` was changed to 320 characters. ``FileField`` ------------- diff --git a/docs/ref/validators.txt b/docs/ref/validators.txt index 3fd1db7ded..9ea2df4321 100644 --- a/docs/ref/validators.txt +++ b/docs/ref/validators.txt @@ -130,6 +130,11 @@ to, or in lieu of custom ``field.clean()`` methods. :param code: If not ``None``, overrides :attr:`code`. :param allowlist: If not ``None``, overrides :attr:`allowlist`. + An :class:`EmailValidator` ensures that a value looks like an email, and + raises a :exc:`~django.core.exceptions.ValidationError` with + :attr:`message` and :attr:`code` if it doesn't. Values longer than 320 + characters are always considered invalid. + .. attribute:: message The error message used by @@ -151,13 +156,19 @@ to, or in lieu of custom ``field.clean()`` methods. validation, so you'd need to add them to the ``allowlist`` as necessary. + .. versionchanged:: 3.2.20 + + In older versions, values longer than 320 characters could be + considered valid. + ``URLValidator`` ---------------- .. class:: URLValidator(schemes=None, regex=None, message=None, code=None) A :class:`RegexValidator` subclass that ensures a value looks like a URL, - and raises an error code of ``'invalid'`` if it doesn't. + and raises an error code of ``'invalid'`` if it doesn't. Values longer than + :attr:`max_length` characters are always considered invalid. Loopback addresses and reserved IP spaces are considered valid. Literal IPv6 addresses (:rfc:`3986#section-3.2.2`) and Unicode domains are both @@ -174,6 +185,18 @@ to, or in lieu of custom ``field.clean()`` methods. .. _valid URI schemes: https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml + .. attribute:: max_length + + .. versionadded:: 3.2.20 + + The maximum length of values that could be considered valid. Defaults + to 2048 characters. + + .. versionchanged:: 3.2.20 + + In older versions, values longer than 2048 characters could be + considered valid. + ``validate_email`` ------------------ |