[4.1.x] Fixed CVE-2023-36053 -- Prevented potential ReDoS in EmailValidator and URLValidator.

Thanks Seokchan Yoon for reports.

3 files changed, 15 insertions, 10 deletions

diff --git a/tests/forms_tests/field_tests/test_emailfield.py b/tests/forms_tests/field_tests/test_emailfield.py
index 869a1aacc5..079267ca8b 100644
--- a/tests/forms_tests/field_tests/test_emailfield.py
+++ b/tests/forms_tests/field_tests/test_emailfield.py
@@ -8,8 +8,9 @@ from . import FormFieldAssertionsMixin
 class EmailFieldTest(FormFieldAssertionsMixin, SimpleTestCase):
     def test_emailfield_1(self):
         f = EmailField()
+        self.assertEqual(f.max_length, 320)
         self.assertWidgetRendersTo(
-            f, '<input type="email" name="f" id="id_f" required>'
+            f, '<input type="email" name="f" id="id_f" maxlength="320" required>'
         )
         with self.assertRaisesMessage(ValidationError, "'This field is required.'"):
             f.clean("")
diff --git a/tests/forms_tests/tests/test_deprecation_forms.py b/tests/forms_tests/tests/test_deprecation_forms.py
index 2a4fb6b0e1..d63e83f3cd 100644
--- a/tests/forms_tests/tests/test_deprecation_forms.py
+++ b/tests/forms_tests/tests/test_deprecation_forms.py
@@ -65,7 +65,8 @@ class DeprecatedTests(SimpleTestCase):
             '<p>Name: <input type="text" name="name" maxlength="50"></p>'
             '<div class="errorlist">'
             '<div class="error">Enter a valid email address.</div></div>'
-            '<p>Email: <input type="email" name="email" value="invalid" required></p>'
+            '<p>Email: <input type="email" name="email" value="invalid" '
+            'maxlength="320" required></p>'
             '<div class="errorlist">'
             '<div class="error">This field is required.</div></div>'
             '<p>Comment: <input type="text" name="comment" required></p>',
diff --git a/tests/forms_tests/tests/test_forms.py b/tests/forms_tests/tests/test_forms.py
index 6005472194..94db0a43a4 100644
--- a/tests/forms_tests/tests/test_forms.py
+++ b/tests/forms_tests/tests/test_forms.py
@@ -547,7 +547,8 @@ class FormsTestCase(SimpleTestCase):
 
         f = SignupForm(auto_id=False)
         self.assertHTMLEqual(
-            str(f["email"]), '<input type="email" name="email" required>'
+            str(f["email"]),
+            '<input type="email" name="email" maxlength="320" required>',
         )
         self.assertHTMLEqual(
             str(f["get_spam"]), '<input type="checkbox" name="get_spam" required>'
@@ -556,7 +557,8 @@ class FormsTestCase(SimpleTestCase):
         f = SignupForm({"email": "test@example.com", "get_spam": True}, auto_id=False)
         self.assertHTMLEqual(
             str(f["email"]),
-            '<input type="email" name="email" value="test@example.com" required>',
+            '<input type="email" name="email" maxlength="320" value="test@example.com" '
+            "required>",
         )
         self.assertHTMLEqual(
             str(f["get_spam"]),
@@ -3522,7 +3524,7 @@ Options: <select multiple name="options" required>
             <option value="false">No</option>
             </select></li>
             <li><label for="id_email">Email:</label>
-            <input type="email" name="email" id="id_email"></li>
+            <input type="email" name="email" id="id_email" maxlength="320"></li>
             <li class="required error"><ul class="errorlist">
             <li>This field is required.</li></ul>
             <label class="required" for="id_age">Age:</label>
@@ -3544,7 +3546,7 @@ Options: <select multiple name="options" required>
             <option value="false">No</option>
             </select></p>
             <p><label for="id_email">Email:</label>
-            <input type="email" name="email" id="id_email"></p>
+            <input type="email" name="email" id="id_email" maxlength="320"></p>
             <ul class="errorlist"><li>This field is required.</li></ul>
             <p class="required error"><label class="required" for="id_age">Age:</label>
             <input type="number" name="age" id="id_age" required></p>
@@ -3564,7 +3566,7 @@ Options: <select multiple name="options" required>
 <option value="false">No</option>
 </select></td></tr>
 <tr><th><label for="id_email">Email:</label></th><td>
-<input type="email" name="email" id="id_email"></td></tr>
+<input type="email" name="email" id="id_email" maxlength="320"></td></tr>
 <tr class="required error"><th><label class="required" for="id_age">Age:</label></th>
 <td><ul class="errorlist"><li>This field is required.</li></ul>
 <input type="number" name="age" id="id_age" required></td></tr>""",
@@ -3579,7 +3581,7 @@ Options: <select multiple name="options" required>
             '<option value="unknown" selected>Unknown</option>'
             '<option value="true">Yes</option><option value="false">No</option>'
             '</select></div><div><label for="id_email">Email:</label>'
-            '<input type="email" name="email" id="id_email" /></div>'
+            '<input type="email" name="email" id="id_email" maxlength="320"/></div>'
             '<div class="required error"><label for="id_age" class="required">Age:'
             '</label><ul class="errorlist"><li>This field is required.</li></ul>'
             '<input type="number" name="age" required id="id_age" /></div>',
@@ -5040,8 +5042,9 @@ class OverrideTests(SimpleTestCase):
             '<p>Name: <input type="text" name="name" maxlength="50"></p>'
             '<div class="errorlist">'
             '<div class="error">Enter a valid email address.</div></div>'
-            '<p>Email: <input type="email" name="email" value="invalid" required></p>'
-            '<div class="errorlist">'
+            "<p>Email: "
+            '<input type="email" name="email" value="invalid" maxlength="320" required>'
+            '</p><div class="errorlist">'
             '<div class="error">This field is required.</div></div>'
             '<p>Comment: <input type="text" name="comment" required></p>',
         )