diff options
| author | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2023-06-14 12:23:06 +0200 |
|---|---|---|
| committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2023-07-03 08:19:23 +0200 |
| commit | b7c5feb35a31799de6e582ad6a5a91a9de74e0f9 (patch) | |
| tree | e1f30c69b702a3e042b67fefffd93dba749a7808 /docs/ref | |
| parent | 1ea11365f61a78051e196e6123d5f987efa90df1 (diff) | |
[4.2.x] Fixed CVE-2023-36053 -- Prevented potential ReDoS in EmailValidator and URLValidator.
Thanks Seokchan Yoon for reports.
Diffstat (limited to 'docs/ref')
| -rw-r--r-- | docs/ref/forms/fields.txt | 7 | ||||
| -rw-r--r-- | docs/ref/validators.txt | 25 |
2 files changed, 30 insertions, 2 deletions
diff --git a/docs/ref/forms/fields.txt b/docs/ref/forms/fields.txt index 6954e3819d..1e4f8f957e 100644 --- a/docs/ref/forms/fields.txt +++ b/docs/ref/forms/fields.txt @@ -592,7 +592,12 @@ For each field, we describe the default widget used if you don't specify * Error message keys: ``required``, ``invalid`` Has the optional arguments ``max_length``, ``min_length``, and - ``empty_value`` which work just as they do for :class:`CharField`. + ``empty_value`` which work just as they do for :class:`CharField`. The + ``max_length`` argument defaults to 320 (see :rfc:`3696#section-3`). + + .. versionchanged:: 3.2.20 + + The default value for ``max_length`` was changed to 320 characters. ``FileField`` ------------- diff --git a/docs/ref/validators.txt b/docs/ref/validators.txt index f63d100a26..327951a990 100644 --- a/docs/ref/validators.txt +++ b/docs/ref/validators.txt @@ -133,6 +133,11 @@ to, or in lieu of custom ``field.clean()`` methods. :param code: If not ``None``, overrides :attr:`code`. :param allowlist: If not ``None``, overrides :attr:`allowlist`. + An :class:`EmailValidator` ensures that a value looks like an email, and + raises a :exc:`~django.core.exceptions.ValidationError` with + :attr:`message` and :attr:`code` if it doesn't. Values longer than 320 + characters are always considered invalid. + .. attribute:: message The error message used by @@ -154,13 +159,19 @@ to, or in lieu of custom ``field.clean()`` methods. validation, so you'd need to add them to the ``allowlist`` as necessary. + .. versionchanged:: 3.2.20 + + In older versions, values longer than 320 characters could be + considered valid. + ``URLValidator`` ---------------- .. class:: URLValidator(schemes=None, regex=None, message=None, code=None) A :class:`RegexValidator` subclass that ensures a value looks like a URL, - and raises an error code of ``'invalid'`` if it doesn't. + and raises an error code of ``'invalid'`` if it doesn't. Values longer than + :attr:`max_length` characters are always considered invalid. Loopback addresses and reserved IP spaces are considered valid. Literal IPv6 addresses (:rfc:`3986#section-3.2.2`) and Unicode domains are both @@ -177,6 +188,18 @@ to, or in lieu of custom ``field.clean()`` methods. .. _valid URI schemes: https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml + .. attribute:: max_length + + .. versionadded:: 3.2.20 + + The maximum length of values that could be considered valid. Defaults + to 2048 characters. + + .. versionchanged:: 3.2.20 + + In older versions, values longer than 2048 characters could be + considered valid. + ``validate_email`` ------------------ |