summaryrefslogtreecommitdiff
path: root/django/contrib/auth/forms.py
diff options
context:
space:
mode:
Diffstat (limited to 'django/contrib/auth/forms.py')
-rw-r--r--django/contrib/auth/forms.py10
1 files changed, 9 insertions, 1 deletions
diff --git a/django/contrib/auth/forms.py b/django/contrib/auth/forms.py
index 9d6a9918bb..1d23bcc57a 100644
--- a/django/contrib/auth/forms.py
+++ b/django/contrib/auth/forms.py
@@ -71,7 +71,15 @@ class ReadOnlyPasswordHashField(forms.Field):
class UsernameField(forms.CharField):
def to_python(self, value):
- return unicodedata.normalize("NFKC", super().to_python(value))
+ value = super().to_python(value)
+ if self.max_length is not None and len(value) > self.max_length:
+ # Normalization can increase the string length (e.g.
+ # "ff" -> "ff", "½" -> "1⁄2") but cannot reduce it, so there is no
+ # point in normalizing invalid data. Moreover, Unicode
+ # normalization is very slow on Windows and can be a DoS attack
+ # vector.
+ return value
+ return unicodedata.normalize("NFKC", value)
def widget_attrs(self, widget):
return {
generated by cgit v1.3 (git 2.53.0) at 2026-05-01 23:04:20 +0000