From ad866a1ca3e7d60da888d25d27e46a8adb2ed36e Mon Sep 17 00:00:00 2001 From: Natalia <124304+nessita@users.noreply.github.com> Date: Mon, 6 Jan 2025 15:51:45 -0300 Subject: [4.2.x] Fixed CVE-2024-56374 -- Mitigated potential DoS in IPv6 validation. Thanks Saravana Kumar for the report, and Sarah Boyce and Mariusz Felisiak for the reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> --- django/db/models/fields/__init__.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'django/db/models/fields/__init__.py') diff --git a/django/db/models/fields/__init__.py b/django/db/models/fields/__init__.py index b65948d783..0cfba4e0aa 100644 --- a/django/db/models/fields/__init__.py +++ b/django/db/models/fields/__init__.py @@ -25,7 +25,7 @@ from django.utils.dateparse import ( ) from django.utils.duration import duration_microseconds, duration_string from django.utils.functional import Promise, cached_property -from django.utils.ipv6 import clean_ipv6_address +from django.utils.ipv6 import MAX_IPV6_ADDRESS_LENGTH, clean_ipv6_address from django.utils.itercompat import is_iterable from django.utils.text import capfirst from django.utils.translation import gettext_lazy as _ @@ -2160,7 +2160,7 @@ class GenericIPAddressField(Field): invalid_error_message, ) = validators.ip_address_validators(protocol, unpack_ipv4) self.default_error_messages["invalid"] = invalid_error_message - kwargs["max_length"] = 39 + kwargs["max_length"] = MAX_IPV6_ADDRESS_LENGTH super().__init__(verbose_name, name, *args, **kwargs) def check(self, **kwargs): @@ -2187,7 +2187,7 @@ class GenericIPAddressField(Field): kwargs["unpack_ipv4"] = self.unpack_ipv4 if self.protocol != "both": kwargs["protocol"] = self.protocol - if kwargs.get("max_length") == 39: + if kwargs.get("max_length") == self.max_length: del kwargs["max_length"] return name, path, args, kwargs -- cgit v1.3