From 4965bfdde2e5a5c883685019e57d123a3368a75e Mon Sep 17 00:00:00 2001 From: Mariusz Felisiak Date: Tue, 17 Oct 2023 11:48:32 +0200 Subject: [PATCH] [4.1.x] Fixed CVE-2023-46695 -- Fixed potential DoS in UsernameField on Windows. Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report. --- django/contrib/auth/forms.py | 10 +++++++++- docs/releases/3.2.23.txt | 12 +++++++++++- docs/releases/4.1.13.txt | 12 +++++++++++- tests/auth_tests/test_forms.py | 7 +++++++ 4 files changed, 38 insertions(+), 3 deletions(-) diff --git a/django/contrib/auth/forms.py b/django/contrib/auth/forms.py index 9d6a9918bb..1d23bcc57a 100644 --- a/django/contrib/auth/forms.py +++ b/django/contrib/auth/forms.py @@ -71,7 +71,15 @@ class ReadOnlyPasswordHashField(forms.Field): class UsernameField(forms.CharField): def to_python(self, value): - return unicodedata.normalize("NFKC", super().to_python(value)) + value = super().to_python(value) + if self.max_length is not None and len(value) > self.max_length: + # Normalization can increase the string length (e.g. + # "ff" -> "ff", "½" -> "1⁄2") but cannot reduce it, so there is no + # point in normalizing invalid data. Moreover, Unicode + # normalization is very slow on Windows and can be a DoS attack + # vector. + return value + return unicodedata.normalize("NFKC", value) def widget_attrs(self, widget): return { diff --git a/docs/releases/3.2.23.txt b/docs/releases/3.2.23.txt index 0d71a0aa71..ba23d11a71 100644 --- a/docs/releases/3.2.23.txt +++ b/docs/releases/3.2.23.txt @@ -6,4 +6,14 @@ Django 3.2.23 release notes Django 3.2.23 fixes a security issue with severity "moderate" in 3.2.22. -... +CVE-2023-46695: Potential denial of service vulnerability in ``UsernameField`` on Windows +========================================================================================= + +The :func:`NFKC normalization ` is slow on +Windows. As a consequence, ``django.contrib.auth.forms.UsernameField`` was +subject to a potential denial of service attack via certain inputs with a very +large number of Unicode characters. + +In order to avoid the vulnerability, invalid values longer than +``UsernameField.max_length`` are no longer normalized, since they cannot pass +validation anyway. diff --git a/docs/releases/4.1.13.txt b/docs/releases/4.1.13.txt index c2fb5afcd3..01ad5dda62 100644 --- a/docs/releases/4.1.13.txt +++ b/docs/releases/4.1.13.txt @@ -6,4 +6,14 @@ Django 4.1.13 release notes Django 4.1.13 fixes a security issue with severity "moderate" in 4.1.12. -... +CVE-2023-46695: Potential denial of service vulnerability in ``UsernameField`` on Windows +========================================================================================= + +The :func:`NFKC normalization ` is slow on +Windows. As a consequence, ``django.contrib.auth.forms.UsernameField`` was +subject to a potential denial of service attack via certain inputs with a very +large number of Unicode characters. + +In order to avoid the vulnerability, invalid values longer than +``UsernameField.max_length`` are no longer normalized, since they cannot pass +validation anyway. diff --git a/tests/auth_tests/test_forms.py b/tests/auth_tests/test_forms.py index ea52254123..f3938d0275 100644 --- a/tests/auth_tests/test_forms.py +++ b/tests/auth_tests/test_forms.py @@ -12,6 +12,7 @@ from django.contrib.auth.forms import ( SetPasswordForm, UserChangeForm, UserCreationForm, + UsernameField, ) from django.contrib.auth.models import User from django.contrib.auth.signals import user_login_failed @@ -150,6 +151,12 @@ class UserCreationFormTest(TestDataMixin, TestCase): self.assertNotEqual(user.username, ohm_username) self.assertEqual(user.username, "testΩ") # U+03A9 GREEK CAPITAL LETTER OMEGA + def test_invalid_username_no_normalize(self): + field = UsernameField(max_length=254) + # Usernames are not normalized if they are too long. + self.assertEqual(field.to_python("½" * 255), "½" * 255) + self.assertEqual(field.to_python("ff" * 254), "ff" * 254) + def test_duplicate_normalized_unicode(self): """ To prevent almost identical usernames, visually identical but differing