From beb3f3d55940d9aa7198bf9d424ab74e873aec3d Mon Sep 17 00:00:00 2001
From: Mariusz Felisiak <felisiak.mariusz@gmail.com>
Date: Wed, 14 Jun 2023 12:23:06 +0200
Subject: [4.1.x] Fixed CVE-2023-36053 -- Prevented potential ReDoS in
 EmailValidator and URLValidator.

Thanks Seokchan Yoon for reports.
---
 django/forms/fields.py | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'django/forms/fields.py')

diff --git a/django/forms/fields.py b/django/forms/fields.py
index 8fa7b72cfd..271a178d0b 100644
--- a/django/forms/fields.py
+++ b/django/forms/fields.py
@@ -609,6 +609,9 @@ class EmailField(CharField):
     default_validators = [validators.validate_email]
 
     def __init__(self, **kwargs):
+        # The default maximum length of an email is 320 characters per RFC 3696
+        # section 3.
+        kwargs.setdefault("max_length", 320)
         super().__init__(strip=True, **kwargs)
 
 
-- 
cgit v1.3