Fixed CVE-2023-36053 -- Prevented potential ReDoS in EmailValidator and URLValidator.

Thanks Seokchan Yoon for reports.
2025-10-31 09:41:08 +00:00 · 2023-06-14 12:23:06 +02:00
parent 7eeadc82c2
commit ad0410ec4f
10 changed files with 73 additions and 15 deletions
--- a/django/forms/fields.py
+++ b/django/forms/fields.py
@@ -616,6 +616,9 @@ class EmailField(CharField):
    default_validators = [validators.validate_email]

    def __init__(self, **kwargs):
+        # The default maximum length of an email is 320 characters per RFC 3696
+        # section 3.
+        kwargs.setdefault("max_length", 320)
        super().__init__(strip=True, **kwargs)