[3.2.x] Fixed CVE-2023-36053 -- Prevented potential ReDoS in EmailValidator and URLValidator.

Thanks Seokchan Yoon for reports.

3 files changed, 36 insertions, 3 deletions

diff --git a/docs/ref/forms/fields.txt b/docs/ref/forms/fields.txt
index 9438214a28..5b485f2153 100644
--- a/docs/ref/forms/fields.txt
+++ b/docs/ref/forms/fields.txt
@@ -592,7 +592,12 @@ For each field, we describe the default widget used if you don't specify
     * Error message keys: ``required``, ``invalid``
 
     Has three optional arguments ``max_length``, ``min_length``, and
-    ``empty_value`` which work just as they do for :class:`CharField`.
+    ``empty_value`` which work just as they do for :class:`CharField`. The
+    ``max_length`` argument defaults to 320 (see :rfc:`3696#section-3`).
+
+    .. versionchanged:: 3.2.20
+
+        The default value for ``max_length`` was changed to 320 characters.
 
 ``FileField``
 -------------
diff --git a/docs/ref/validators.txt b/docs/ref/validators.txt
index 50761e5a42..b22762b17b 100644
--- a/docs/ref/validators.txt
+++ b/docs/ref/validators.txt
@@ -130,6 +130,11 @@ to, or in lieu of custom ``field.clean()`` methods.
     :param code: If not ``None``, overrides :attr:`code`.
     :param allowlist: If not ``None``, overrides :attr:`allowlist`.
 
+    An :class:`EmailValidator` ensures that a value looks like an email, and
+    raises a :exc:`~django.core.exceptions.ValidationError` with
+    :attr:`message` and :attr:`code` if it doesn't. Values longer than 320
+    characters are always considered invalid.
+
     .. attribute:: message
 
         The error message used by
@@ -158,13 +163,19 @@ to, or in lieu of custom ``field.clean()`` methods.
         The undocumented ``domain_whitelist`` attribute is deprecated. Use
         ``domain_allowlist`` instead.
 
+    .. versionchanged:: 3.2.20
+
+        In older versions, values longer than 320 characters could be
+        considered valid.
+
 ``URLValidator``
 ----------------
 
 .. class:: URLValidator(schemes=None, regex=None, message=None, code=None)
 
     A :class:`RegexValidator` subclass that ensures a value looks like a URL,
-    and raises an error code of ``'invalid'`` if it doesn't.
+    and raises an error code of ``'invalid'`` if it doesn't. Values longer than
+    :attr:`max_length` characters are always considered invalid.
 
     Loopback addresses and reserved IP spaces are considered valid. Literal
     IPv6 addresses (:rfc:`3986#section-3.2.2`) and Unicode domains are both
@@ -181,6 +192,18 @@ to, or in lieu of custom ``field.clean()`` methods.
 
         .. _valid URI schemes: https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml
 
+    .. attribute:: max_length
+
+        .. versionadded:: 3.2.20
+
+        The maximum length of values that could be considered valid. Defaults
+        to 2048 characters.
+
+    .. versionchanged:: 3.2.20
+
+        In older versions, values longer than 2048 characters could be
+        considered valid.
+
 ``validate_email``
 ------------------
 
diff --git a/docs/releases/3.2.20.txt b/docs/releases/3.2.20.txt
index e4ef914394..c8f60a70e2 100644
--- a/docs/releases/3.2.20.txt
+++ b/docs/releases/3.2.20.txt
@@ -6,4 +6,9 @@ Django 3.2.20 release notes
 
 Django 3.2.20 fixes a security issue with severity "moderate" in 3.2.19.
 
-...
+CVE-2023-36053: Potential regular expression denial of service vulnerability in ``EmailValidator``/``URLValidator``
+===================================================================================================================
+
+``EmailValidator`` and ``URLValidator`` were subject to potential regular
+expression denial of service attack via a very large number of domain name
+labels of emails and URLs.