mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-01-03 06:55:47 +00:00
Code Issues 30 Releases Wiki Activity

Fixed CVE-2023-46695 -- Fixed potential DoS in UsernameField on Windows.

Browse Source 
Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
This commit is contained in:
Mariusz Felisiak 2023-10-17 11:48:32 +02:00
parent 40b3975e7d
commit 05ba4130ee
5 changed files with 50 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
django/contrib/auth/forms.py
View File

@ -71,7 +71,15 @@ class ReadOnlyPasswordHashField(forms.Field):
class UsernameField(forms.CharField): class UsernameField(forms.CharField):
def to_python(self, value): def to_python(self, value):
return unicodedata.normalize("NFKC", super().to_python(value)) value = super().to_python(value)
if self.max_length is not None and len(value) > self.max_length:
# Normalization can increase the string length (e.g.
# "ff" -> "ff", "½" -> "12") but cannot reduce it, so there is no
# point in normalizing invalid data. Moreover, Unicode
# normalization is very slow on Windows and can be a DoS attack
# vector.
return value
return unicodedata.normalize("NFKC", value)
def widget_attrs(self, widget): def widget_attrs(self, widget):
return { return {

12
docs/releases/3.2.23.txt
View File

@ -6,4 +6,14 @@ Django 3.2.23 release notes
Django 3.2.23 fixes a security issue with severity "moderate" in 3.2.22. Django 3.2.23 fixes a security issue with severity "moderate" in 3.2.22.
... CVE-2023-46695: Potential denial of service vulnerability in ``UsernameField`` on Windows
=========================================================================================
The :func:`NFKC normalization <python:unicodedata.normalize>` is slow on
Windows. As a consequence, ``django.contrib.auth.forms.UsernameField`` was
subject to a potential denial of service attack via certain inputs with a very
large number of Unicode characters.
In order to avoid the vulnerability, invalid values longer than
``UsernameField.max_length`` are no longer normalized, since they cannot pass
validation anyway.

12
docs/releases/4.1.13.txt
View File

@ -6,4 +6,14 @@ Django 4.1.13 release notes
Django 4.1.13 fixes a security issue with severity "moderate" in 4.1.12. Django 4.1.13 fixes a security issue with severity "moderate" in 4.1.12.
... CVE-2023-46695: Potential denial of service vulnerability in ``UsernameField`` on Windows
=========================================================================================
The :func:`NFKC normalization <python:unicodedata.normalize>` is slow on
Windows. As a consequence, ``django.contrib.auth.forms.UsernameField`` was
subject to a potential denial of service attack via certain inputs with a very
large number of Unicode characters.
In order to avoid the vulnerability, invalid values longer than
``UsernameField.max_length`` are no longer normalized, since they cannot pass
validation anyway.

12
docs/releases/4.2.7.txt
View File

@ -7,6 +7,18 @@ Django 4.2.7 release notes
Django 4.2.7 fixes a security issue with severity "moderate" and several bugs Django 4.2.7 fixes a security issue with severity "moderate" and several bugs
in 4.2.6. in 4.2.6.
CVE-2023-46695: Potential denial of service vulnerability in ``UsernameField`` on Windows
=========================================================================================
The :func:`NFKC normalization <python:unicodedata.normalize>` is slow on
Windows. As a consequence, ``django.contrib.auth.forms.UsernameField`` was
subject to a potential denial of service attack via certain inputs with a very
large number of Unicode characters.
In order to avoid the vulnerability, invalid values longer than
``UsernameField.max_length`` are no longer normalized, since they cannot pass
validation anyway.
Bugfixes Bugfixes
======== ========

7
tests/auth_tests/test_forms.py
View File

@ -14,6 +14,7 @@ from django.contrib.auth.forms import (
SetPasswordForm, SetPasswordForm,
UserChangeForm, UserChangeForm,
UserCreationForm, UserCreationForm,
UsernameField,
) )
from django.contrib.auth.models import User from django.contrib.auth.models import User
from django.contrib.auth.signals import user_login_failed from django.contrib.auth.signals import user_login_failed
@ -154,6 +155,12 @@ class BaseUserCreationFormTest(TestDataMixin, TestCase):
self.assertNotEqual(user.username, ohm_username) self.assertNotEqual(user.username, ohm_username)
self.assertEqual(user.username, "testΩ") # U+03A9 GREEK CAPITAL LETTER OMEGA self.assertEqual(user.username, "testΩ") # U+03A9 GREEK CAPITAL LETTER OMEGA
def test_invalid_username_no_normalize(self):
field = UsernameField(max_length=254)
# Usernames are not normalized if they are too long.
self.assertEqual(field.to_python("½" * 255), "½" * 255)
self.assertEqual(field.to_python("" * 254), "ff" * 254)
def test_duplicate_normalized_unicode(self): def test_duplicate_normalized_unicode(self):
""" """
To prevent almost identical usernames, visually identical but differing To prevent almost identical usernames, visually identical but differing