1
0
mirror of https://github.com/django/django.git synced 2024-12-22 09:05:43 +00:00

Fixed CVE-2023-36053 -- Prevented potential ReDoS in EmailValidator and URLValidator.

Thanks Seokchan Yoon for reports.
This commit is contained in:
Mariusz Felisiak 2023-06-14 12:23:06 +02:00
parent 7eeadc82c2
commit ad0410ec4f
10 changed files with 73 additions and 15 deletions

View File

@ -104,6 +104,7 @@ class URLValidator(RegexValidator):
message = _("Enter a valid URL.")
schemes = ["http", "https", "ftp", "ftps"]
unsafe_chars = frozenset("\t\r\n")
max_length = 2048
def __init__(self, schemes=None, **kwargs):
super().__init__(**kwargs)
@ -111,7 +112,7 @@ class URLValidator(RegexValidator):
self.schemes = schemes
def __call__(self, value):
if not isinstance(value, str):
if not isinstance(value, str) or len(value) > self.max_length:
raise ValidationError(self.message, code=self.code, params={"value": value})
if self.unsafe_chars.intersection(value):
raise ValidationError(self.message, code=self.code, params={"value": value})
@ -203,7 +204,9 @@ class EmailValidator:
self.domain_allowlist = allowlist
def __call__(self, value):
if not value or "@" not in value:
# The maximum length of an email is 320 characters per RFC 3696
# section 3.
if not value or "@" not in value or len(value) > 320:
raise ValidationError(self.message, code=self.code, params={"value": value})
user_part, domain_part = value.rsplit("@", 1)

View File

@ -616,6 +616,9 @@ class EmailField(CharField):
default_validators = [validators.validate_email]
def __init__(self, **kwargs):
# The default maximum length of an email is 320 characters per RFC 3696
# section 3.
kwargs.setdefault("max_length", 320)
super().__init__(strip=True, **kwargs)

View File

@ -596,7 +596,12 @@ For each field, we describe the default widget used if you don't specify
* Error message keys: ``required``, ``invalid``
Has the optional arguments ``max_length``, ``min_length``, and
``empty_value`` which work just as they do for :class:`CharField`.
``empty_value`` which work just as they do for :class:`CharField`. The
``max_length`` argument defaults to 320 (see :rfc:`3696#section-3`).
.. versionchanged:: 3.2.20
The default value for ``max_length`` was changed to 320 characters.
``FileField``
-------------

View File

@ -133,6 +133,11 @@ to, or in lieu of custom ``field.clean()`` methods.
:param code: If not ``None``, overrides :attr:`code`.
:param allowlist: If not ``None``, overrides :attr:`allowlist`.
An :class:`EmailValidator` ensures that a value looks like an email, and
raises a :exc:`~django.core.exceptions.ValidationError` with
:attr:`message` and :attr:`code` if it doesn't. Values longer than 320
characters are always considered invalid.
.. attribute:: message
The error message used by
@ -154,13 +159,19 @@ to, or in lieu of custom ``field.clean()`` methods.
validation, so you'd need to add them to the ``allowlist`` as
necessary.
.. versionchanged:: 3.2.20
In older versions, values longer than 320 characters could be
considered valid.
``URLValidator``
----------------
.. class:: URLValidator(schemes=None, regex=None, message=None, code=None)
A :class:`RegexValidator` subclass that ensures a value looks like a URL,
and raises an error code of ``'invalid'`` if it doesn't.
and raises an error code of ``'invalid'`` if it doesn't. Values longer than
:attr:`max_length` characters are always considered invalid.
Loopback addresses and reserved IP spaces are considered valid. Literal
IPv6 addresses (:rfc:`3986#section-3.2.2`) and Unicode domains are both
@ -177,6 +188,18 @@ to, or in lieu of custom ``field.clean()`` methods.
.. _valid URI schemes: https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml
.. attribute:: max_length
.. versionadded:: 3.2.20
The maximum length of values that could be considered valid. Defaults
to 2048 characters.
.. versionchanged:: 3.2.20
In older versions, values longer than 2048 characters could be
considered valid.
``validate_email``
------------------

View File

@ -6,4 +6,9 @@ Django 3.2.20 release notes
Django 3.2.20 fixes a security issue with severity "moderate" in 3.2.19.
...
CVE-2023-36053: Potential regular expression denial of service vulnerability in ``EmailValidator``/``URLValidator``
===================================================================================================================
``EmailValidator`` and ``URLValidator`` were subject to potential regular
expression denial of service attack via a very large number of domain name
labels of emails and URLs.

View File

@ -6,4 +6,9 @@ Django 4.1.10 release notes
Django 4.1.10 fixes a security issue with severity "moderate" in 4.1.9.
...
CVE-2023-36053: Potential regular expression denial of service vulnerability in ``EmailValidator``/``URLValidator``
===================================================================================================================
``EmailValidator`` and ``URLValidator`` were subject to potential regular
expression denial of service attack via a very large number of domain name
labels of emails and URLs.

View File

@ -7,6 +7,13 @@ Django 4.2.3 release notes
Django 4.2.3 fixes a security issue with severity "moderate" and several bugs
in 4.2.2.
CVE-2023-36053: Potential regular expression denial of service vulnerability in ``EmailValidator``/``URLValidator``
===================================================================================================================
``EmailValidator`` and ``URLValidator`` were subject to potential regular
expression denial of service attack via a very large number of domain name
labels of emails and URLs.
Bugfixes
========

View File

@ -8,8 +8,9 @@ from . import FormFieldAssertionsMixin
class EmailFieldTest(FormFieldAssertionsMixin, SimpleTestCase):
def test_emailfield_1(self):
f = EmailField()
self.assertEqual(f.max_length, 320)
self.assertWidgetRendersTo(
f, '<input type="email" name="f" id="id_f" required>'
f, '<input type="email" name="f" id="id_f" maxlength="320" required>'
)
with self.assertRaisesMessage(ValidationError, "'This field is required.'"):
f.clean("")

View File

@ -546,7 +546,8 @@ class FormsTestCase(SimpleTestCase):
f = SignupForm(auto_id=False)
self.assertHTMLEqual(
str(f["email"]), '<input type="email" name="email" required>'
str(f["email"]),
'<input type="email" name="email" maxlength="320" required>',
)
self.assertHTMLEqual(
str(f["get_spam"]), '<input type="checkbox" name="get_spam" required>'
@ -555,7 +556,8 @@ class FormsTestCase(SimpleTestCase):
f = SignupForm({"email": "test@example.com", "get_spam": True}, auto_id=False)
self.assertHTMLEqual(
str(f["email"]),
'<input type="email" name="email" value="test@example.com" required>',
'<input type="email" name="email" maxlength="320" value="test@example.com" '
"required>",
)
self.assertHTMLEqual(
str(f["get_spam"]),
@ -3521,7 +3523,7 @@ Options: <select multiple name="options" required>
<option value="false">No</option>
</select></li>
<li><label for="id_email">Email:</label>
<input type="email" name="email" id="id_email"></li>
<input type="email" name="email" id="id_email" maxlength="320"></li>
<li class="required error"><ul class="errorlist">
<li>This field is required.</li></ul>
<label class="required" for="id_age">Age:</label>
@ -3543,7 +3545,7 @@ Options: <select multiple name="options" required>
<option value="false">No</option>
</select></p>
<p><label for="id_email">Email:</label>
<input type="email" name="email" id="id_email"></p>
<input type="email" name="email" id="id_email" maxlength="320"></p>
<ul class="errorlist"><li>This field is required.</li></ul>
<p class="required error"><label class="required" for="id_age">Age:</label>
<input type="number" name="age" id="id_age" required></p>
@ -3563,7 +3565,7 @@ Options: <select multiple name="options" required>
<option value="false">No</option>
</select></td></tr>
<tr><th><label for="id_email">Email:</label></th><td>
<input type="email" name="email" id="id_email"></td></tr>
<input type="email" name="email" id="id_email" maxlength="320"></td></tr>
<tr class="required error"><th><label class="required" for="id_age">Age:</label></th>
<td><ul class="errorlist"><li>This field is required.</li></ul>
<input type="number" name="age" id="id_age" required></td></tr>""",
@ -3578,7 +3580,7 @@ Options: <select multiple name="options" required>
'<option value="unknown" selected>Unknown</option>'
'<option value="true">Yes</option><option value="false">No</option>'
'</select></div><div><label for="id_email">Email:</label>'
'<input type="email" name="email" id="id_email" /></div>'
'<input type="email" name="email" id="id_email" maxlength="320"/></div>'
'<div class="required error"><label for="id_age" class="required">Age:'
'</label><ul class="errorlist"><li>This field is required.</li></ul>'
'<input type="number" name="age" required id="id_age" /></div>',
@ -5094,8 +5096,9 @@ class OverrideTests(SimpleTestCase):
'<p>Name: <input type="text" name="name" maxlength="50"></p>'
'<div class="errorlist">'
'<div class="error">Enter a valid email address.</div></div>'
'<p>Email: <input type="email" name="email" value="invalid" required></p>'
'<div class="errorlist">'
"<p>Email: "
'<input type="email" name="email" value="invalid" maxlength="320" required>'
'</p><div class="errorlist">'
'<div class="error">This field is required.</div></div>'
'<p>Comment: <input type="text" name="comment" required></p>',
)

View File

@ -106,6 +106,7 @@ VALID_URLS = [
"ddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd"
"ddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd"
"ddddddddddddddddd:password@example.com:8080",
"http://userid:password" + "d" * 2000 + "@example.aaaaaaaaaaaaa.com",
"http://142.42.1.1/",
"http://142.42.1.1:8080/",
"http://➡.ws/䨹",
@ -236,6 +237,7 @@ INVALID_URLS = [
"aaaaaa.com",
"http://example.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaa",
"http://example." + ("a" * 63 + ".") * 1000 + "com",
"http://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaa"
@ -291,6 +293,7 @@ TEST_DATA = [
(validate_email, "example@%s.%s.atm" % ("a" * 63, "b" * 10), None),
(validate_email, "example@atm.%s" % ("a" * 64), ValidationError),
(validate_email, "example@%s.atm.%s" % ("b" * 64, "a" * 63), ValidationError),
(validate_email, "example@%scom" % (("a" * 63 + ".") * 100), ValidationError),
(validate_email, None, ValidationError),
(validate_email, "", ValidationError),
(validate_email, "abc", ValidationError),