[4.2.x] Fixed CVE-2023-36053 -- Prevented potential ReDoS in EmailValidator and URLValidator.

Thanks Seokchan Yoon for reports.
author: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2023-06-14 12:23:06 +0200
committer: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2023-07-03 08:19:23 +0200
commit: b7c5feb35a31799de6e582ad6a5a91a9de74e0f9 (patch)
tree: e1f30c69b702a3e042b67fefffd93dba749a7808 /docs
parent: 1ea11365f61a78051e196e6123d5f987efa90df1 (diff)
5 files changed, 49 insertions, 4 deletions
diff --git a/docs/ref/forms/fields.txt b/docs/ref/forms/fields.txt
index 6954e3819d..1e4f8f957e 100644
--- a/docs/ref/forms/fields.txt
+++ b/docs/ref/forms/fields.txt
@@ -592,7 +592,12 @@ For each field, we describe the default widget used if you don't specify
     * Error message keys: ``required``, ``invalid``
 
     Has the optional arguments ``max_length``, ``min_length``, and
-    ``empty_value`` which work just as they do for :class:`CharField`.
+    ``empty_value`` which work just as they do for :class:`CharField`. The
+    ``max_length`` argument defaults to 320 (see :rfc:`3696#section-3`).
+
+    .. versionchanged:: 3.2.20
+
+        The default value for ``max_length`` was changed to 320 characters.
 
 ``FileField``
 -------------
diff --git a/docs/ref/validators.txt b/docs/ref/validators.txt
index f63d100a26..327951a990 100644
--- a/docs/ref/validators.txt
+++ b/docs/ref/validators.txt
@@ -133,6 +133,11 @@ to, or in lieu of custom ``field.clean()`` methods.
     :param code: If not ``None``, overrides :attr:`code`.
     :param allowlist: If not ``None``, overrides :attr:`allowlist`.
 
+    An :class:`EmailValidator` ensures that a value looks like an email, and
+    raises a :exc:`~django.core.exceptions.ValidationError` with
+    :attr:`message` and :attr:`code` if it doesn't. Values longer than 320
+    characters are always considered invalid.
+
     .. attribute:: message
 
         The error message used by
@@ -154,13 +159,19 @@ to, or in lieu of custom ``field.clean()`` methods.
         validation, so you'd need to add them to the ``allowlist`` as
         necessary.
 
+    .. versionchanged:: 3.2.20
+
+        In older versions, values longer than 320 characters could be
+        considered valid.
+
 ``URLValidator``
 ----------------
 
 .. class:: URLValidator(schemes=None, regex=None, message=None, code=None)
 
     A :class:`RegexValidator` subclass that ensures a value looks like a URL,
-    and raises an error code of ``'invalid'`` if it doesn't.
+    and raises an error code of ``'invalid'`` if it doesn't. Values longer than
+    :attr:`max_length` characters are always considered invalid.
 
     Loopback addresses and reserved IP spaces are considered valid. Literal
     IPv6 addresses (:rfc:`3986#section-3.2.2`) and Unicode domains are both
@@ -177,6 +188,18 @@ to, or in lieu of custom ``field.clean()`` methods.
 
         .. _valid URI schemes: https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml
 
+    .. attribute:: max_length
+
+        .. versionadded:: 3.2.20
+
+        The maximum length of values that could be considered valid. Defaults
+        to 2048 characters.
+
+    .. versionchanged:: 3.2.20
+
+        In older versions, values longer than 2048 characters could be
+        considered valid.
+
 ``validate_email``
 ------------------
 
diff --git a/docs/releases/3.2.20.txt b/docs/releases/3.2.20.txt
index e4ef914394..c8f60a70e2 100644
--- a/docs/releases/3.2.20.txt
+++ b/docs/releases/3.2.20.txt
@@ -6,4 +6,9 @@ Django 3.2.20 release notes
 
 Django 3.2.20 fixes a security issue with severity "moderate" in 3.2.19.
 
-...
+CVE-2023-36053: Potential regular expression denial of service vulnerability in ``EmailValidator``/``URLValidator``
+===================================================================================================================
+
+``EmailValidator`` and ``URLValidator`` were subject to potential regular
+expression denial of service attack via a very large number of domain name
+labels of emails and URLs.
diff --git a/docs/releases/4.1.10.txt b/docs/releases/4.1.10.txt
index 8aaa9723c8..06c99d0e34 100644
--- a/docs/releases/4.1.10.txt
+++ b/docs/releases/4.1.10.txt
@@ -6,4 +6,9 @@ Django 4.1.10 release notes
 
 Django 4.1.10 fixes a security issue with severity "moderate" in 4.1.9.
 
-...
+CVE-2023-36053: Potential regular expression denial of service vulnerability in ``EmailValidator``/``URLValidator``
+===================================================================================================================
+
+``EmailValidator`` and ``URLValidator`` were subject to potential regular
+expression denial of service attack via a very large number of domain name
+labels of emails and URLs.
diff --git a/docs/releases/4.2.3.txt b/docs/releases/4.2.3.txt
index 835de58116..c105849739 100644
--- a/docs/releases/4.2.3.txt
+++ b/docs/releases/4.2.3.txt
@@ -7,6 +7,13 @@ Django 4.2.3 release notes
 Django 4.2.3 fixes a security issue with severity "moderate" and several bugs
 in 4.2.2.
 
+CVE-2023-36053: Potential regular expression denial of service vulnerability in ``EmailValidator``/``URLValidator``
+===================================================================================================================
+
+``EmailValidator`` and ``URLValidator`` were subject to potential regular
+expression denial of service attack via a very large number of domain name
+labels of emails and URLs.
+
 Bugfixes
 ========
author	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2023-06-14 12:23:06 +0200
committer	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2023-07-03 08:19:23 +0200
commit	b7c5feb35a31799de6e582ad6a5a91a9de74e0f9 (patch)
tree	e1f30c69b702a3e042b67fefffd93dba749a7808 /docs
parent	1ea11365f61a78051e196e6123d5f987efa90df1 (diff)