mirror of
https://github.com/django/django.git
synced 2024-12-22 17:16:24 +00:00
Fixed CVE-2023-36053 -- Prevented potential ReDoS in EmailValidator and URLValidator.
Thanks Seokchan Yoon for reports.
This commit is contained in:
parent
7eeadc82c2
commit
ad0410ec4f
@ -104,6 +104,7 @@ class URLValidator(RegexValidator):
|
||||
message = _("Enter a valid URL.")
|
||||
schemes = ["http", "https", "ftp", "ftps"]
|
||||
unsafe_chars = frozenset("\t\r\n")
|
||||
max_length = 2048
|
||||
|
||||
def __init__(self, schemes=None, **kwargs):
|
||||
super().__init__(**kwargs)
|
||||
@ -111,7 +112,7 @@ class URLValidator(RegexValidator):
|
||||
self.schemes = schemes
|
||||
|
||||
def __call__(self, value):
|
||||
if not isinstance(value, str):
|
||||
if not isinstance(value, str) or len(value) > self.max_length:
|
||||
raise ValidationError(self.message, code=self.code, params={"value": value})
|
||||
if self.unsafe_chars.intersection(value):
|
||||
raise ValidationError(self.message, code=self.code, params={"value": value})
|
||||
@ -203,7 +204,9 @@ class EmailValidator:
|
||||
self.domain_allowlist = allowlist
|
||||
|
||||
def __call__(self, value):
|
||||
if not value or "@" not in value:
|
||||
# The maximum length of an email is 320 characters per RFC 3696
|
||||
# section 3.
|
||||
if not value or "@" not in value or len(value) > 320:
|
||||
raise ValidationError(self.message, code=self.code, params={"value": value})
|
||||
|
||||
user_part, domain_part = value.rsplit("@", 1)
|
||||
|
@ -616,6 +616,9 @@ class EmailField(CharField):
|
||||
default_validators = [validators.validate_email]
|
||||
|
||||
def __init__(self, **kwargs):
|
||||
# The default maximum length of an email is 320 characters per RFC 3696
|
||||
# section 3.
|
||||
kwargs.setdefault("max_length", 320)
|
||||
super().__init__(strip=True, **kwargs)
|
||||
|
||||
|
||||
|
@ -596,7 +596,12 @@ For each field, we describe the default widget used if you don't specify
|
||||
* Error message keys: ``required``, ``invalid``
|
||||
|
||||
Has the optional arguments ``max_length``, ``min_length``, and
|
||||
``empty_value`` which work just as they do for :class:`CharField`.
|
||||
``empty_value`` which work just as they do for :class:`CharField`. The
|
||||
``max_length`` argument defaults to 320 (see :rfc:`3696#section-3`).
|
||||
|
||||
.. versionchanged:: 3.2.20
|
||||
|
||||
The default value for ``max_length`` was changed to 320 characters.
|
||||
|
||||
``FileField``
|
||||
-------------
|
||||
|
@ -133,6 +133,11 @@ to, or in lieu of custom ``field.clean()`` methods.
|
||||
:param code: If not ``None``, overrides :attr:`code`.
|
||||
:param allowlist: If not ``None``, overrides :attr:`allowlist`.
|
||||
|
||||
An :class:`EmailValidator` ensures that a value looks like an email, and
|
||||
raises a :exc:`~django.core.exceptions.ValidationError` with
|
||||
:attr:`message` and :attr:`code` if it doesn't. Values longer than 320
|
||||
characters are always considered invalid.
|
||||
|
||||
.. attribute:: message
|
||||
|
||||
The error message used by
|
||||
@ -154,13 +159,19 @@ to, or in lieu of custom ``field.clean()`` methods.
|
||||
validation, so you'd need to add them to the ``allowlist`` as
|
||||
necessary.
|
||||
|
||||
.. versionchanged:: 3.2.20
|
||||
|
||||
In older versions, values longer than 320 characters could be
|
||||
considered valid.
|
||||
|
||||
``URLValidator``
|
||||
----------------
|
||||
|
||||
.. class:: URLValidator(schemes=None, regex=None, message=None, code=None)
|
||||
|
||||
A :class:`RegexValidator` subclass that ensures a value looks like a URL,
|
||||
and raises an error code of ``'invalid'`` if it doesn't.
|
||||
and raises an error code of ``'invalid'`` if it doesn't. Values longer than
|
||||
:attr:`max_length` characters are always considered invalid.
|
||||
|
||||
Loopback addresses and reserved IP spaces are considered valid. Literal
|
||||
IPv6 addresses (:rfc:`3986#section-3.2.2`) and Unicode domains are both
|
||||
@ -177,6 +188,18 @@ to, or in lieu of custom ``field.clean()`` methods.
|
||||
|
||||
.. _valid URI schemes: https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml
|
||||
|
||||
.. attribute:: max_length
|
||||
|
||||
.. versionadded:: 3.2.20
|
||||
|
||||
The maximum length of values that could be considered valid. Defaults
|
||||
to 2048 characters.
|
||||
|
||||
.. versionchanged:: 3.2.20
|
||||
|
||||
In older versions, values longer than 2048 characters could be
|
||||
considered valid.
|
||||
|
||||
``validate_email``
|
||||
------------------
|
||||
|
||||
|
@ -6,4 +6,9 @@ Django 3.2.20 release notes
|
||||
|
||||
Django 3.2.20 fixes a security issue with severity "moderate" in 3.2.19.
|
||||
|
||||
...
|
||||
CVE-2023-36053: Potential regular expression denial of service vulnerability in ``EmailValidator``/``URLValidator``
|
||||
===================================================================================================================
|
||||
|
||||
``EmailValidator`` and ``URLValidator`` were subject to potential regular
|
||||
expression denial of service attack via a very large number of domain name
|
||||
labels of emails and URLs.
|
||||
|
@ -6,4 +6,9 @@ Django 4.1.10 release notes
|
||||
|
||||
Django 4.1.10 fixes a security issue with severity "moderate" in 4.1.9.
|
||||
|
||||
...
|
||||
CVE-2023-36053: Potential regular expression denial of service vulnerability in ``EmailValidator``/``URLValidator``
|
||||
===================================================================================================================
|
||||
|
||||
``EmailValidator`` and ``URLValidator`` were subject to potential regular
|
||||
expression denial of service attack via a very large number of domain name
|
||||
labels of emails and URLs.
|
||||
|
@ -7,6 +7,13 @@ Django 4.2.3 release notes
|
||||
Django 4.2.3 fixes a security issue with severity "moderate" and several bugs
|
||||
in 4.2.2.
|
||||
|
||||
CVE-2023-36053: Potential regular expression denial of service vulnerability in ``EmailValidator``/``URLValidator``
|
||||
===================================================================================================================
|
||||
|
||||
``EmailValidator`` and ``URLValidator`` were subject to potential regular
|
||||
expression denial of service attack via a very large number of domain name
|
||||
labels of emails and URLs.
|
||||
|
||||
Bugfixes
|
||||
========
|
||||
|
||||
|
@ -8,8 +8,9 @@ from . import FormFieldAssertionsMixin
|
||||
class EmailFieldTest(FormFieldAssertionsMixin, SimpleTestCase):
|
||||
def test_emailfield_1(self):
|
||||
f = EmailField()
|
||||
self.assertEqual(f.max_length, 320)
|
||||
self.assertWidgetRendersTo(
|
||||
f, '<input type="email" name="f" id="id_f" required>'
|
||||
f, '<input type="email" name="f" id="id_f" maxlength="320" required>'
|
||||
)
|
||||
with self.assertRaisesMessage(ValidationError, "'This field is required.'"):
|
||||
f.clean("")
|
||||
|
@ -546,7 +546,8 @@ class FormsTestCase(SimpleTestCase):
|
||||
|
||||
f = SignupForm(auto_id=False)
|
||||
self.assertHTMLEqual(
|
||||
str(f["email"]), '<input type="email" name="email" required>'
|
||||
str(f["email"]),
|
||||
'<input type="email" name="email" maxlength="320" required>',
|
||||
)
|
||||
self.assertHTMLEqual(
|
||||
str(f["get_spam"]), '<input type="checkbox" name="get_spam" required>'
|
||||
@ -555,7 +556,8 @@ class FormsTestCase(SimpleTestCase):
|
||||
f = SignupForm({"email": "test@example.com", "get_spam": True}, auto_id=False)
|
||||
self.assertHTMLEqual(
|
||||
str(f["email"]),
|
||||
'<input type="email" name="email" value="test@example.com" required>',
|
||||
'<input type="email" name="email" maxlength="320" value="test@example.com" '
|
||||
"required>",
|
||||
)
|
||||
self.assertHTMLEqual(
|
||||
str(f["get_spam"]),
|
||||
@ -3521,7 +3523,7 @@ Options: <select multiple name="options" required>
|
||||
<option value="false">No</option>
|
||||
</select></li>
|
||||
<li><label for="id_email">Email:</label>
|
||||
<input type="email" name="email" id="id_email"></li>
|
||||
<input type="email" name="email" id="id_email" maxlength="320"></li>
|
||||
<li class="required error"><ul class="errorlist">
|
||||
<li>This field is required.</li></ul>
|
||||
<label class="required" for="id_age">Age:</label>
|
||||
@ -3543,7 +3545,7 @@ Options: <select multiple name="options" required>
|
||||
<option value="false">No</option>
|
||||
</select></p>
|
||||
<p><label for="id_email">Email:</label>
|
||||
<input type="email" name="email" id="id_email"></p>
|
||||
<input type="email" name="email" id="id_email" maxlength="320"></p>
|
||||
<ul class="errorlist"><li>This field is required.</li></ul>
|
||||
<p class="required error"><label class="required" for="id_age">Age:</label>
|
||||
<input type="number" name="age" id="id_age" required></p>
|
||||
@ -3563,7 +3565,7 @@ Options: <select multiple name="options" required>
|
||||
<option value="false">No</option>
|
||||
</select></td></tr>
|
||||
<tr><th><label for="id_email">Email:</label></th><td>
|
||||
<input type="email" name="email" id="id_email"></td></tr>
|
||||
<input type="email" name="email" id="id_email" maxlength="320"></td></tr>
|
||||
<tr class="required error"><th><label class="required" for="id_age">Age:</label></th>
|
||||
<td><ul class="errorlist"><li>This field is required.</li></ul>
|
||||
<input type="number" name="age" id="id_age" required></td></tr>""",
|
||||
@ -3578,7 +3580,7 @@ Options: <select multiple name="options" required>
|
||||
'<option value="unknown" selected>Unknown</option>'
|
||||
'<option value="true">Yes</option><option value="false">No</option>'
|
||||
'</select></div><div><label for="id_email">Email:</label>'
|
||||
'<input type="email" name="email" id="id_email" /></div>'
|
||||
'<input type="email" name="email" id="id_email" maxlength="320"/></div>'
|
||||
'<div class="required error"><label for="id_age" class="required">Age:'
|
||||
'</label><ul class="errorlist"><li>This field is required.</li></ul>'
|
||||
'<input type="number" name="age" required id="id_age" /></div>',
|
||||
@ -5094,8 +5096,9 @@ class OverrideTests(SimpleTestCase):
|
||||
'<p>Name: <input type="text" name="name" maxlength="50"></p>'
|
||||
'<div class="errorlist">'
|
||||
'<div class="error">Enter a valid email address.</div></div>'
|
||||
'<p>Email: <input type="email" name="email" value="invalid" required></p>'
|
||||
'<div class="errorlist">'
|
||||
"<p>Email: "
|
||||
'<input type="email" name="email" value="invalid" maxlength="320" required>'
|
||||
'</p><div class="errorlist">'
|
||||
'<div class="error">This field is required.</div></div>'
|
||||
'<p>Comment: <input type="text" name="comment" required></p>',
|
||||
)
|
||||
|
@ -106,6 +106,7 @@ VALID_URLS = [
|
||||
"ddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd"
|
||||
"ddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd"
|
||||
"ddddddddddddddddd:password@example.com:8080",
|
||||
"http://userid:password" + "d" * 2000 + "@example.aaaaaaaaaaaaa.com",
|
||||
"http://142.42.1.1/",
|
||||
"http://142.42.1.1:8080/",
|
||||
"http://➡.ws/䨹",
|
||||
@ -236,6 +237,7 @@ INVALID_URLS = [
|
||||
"aaaaaa.com",
|
||||
"http://example.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
|
||||
"aaaaaa",
|
||||
"http://example." + ("a" * 63 + ".") * 1000 + "com",
|
||||
"http://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
|
||||
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaa"
|
||||
"aaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaa"
|
||||
@ -291,6 +293,7 @@ TEST_DATA = [
|
||||
(validate_email, "example@%s.%s.atm" % ("a" * 63, "b" * 10), None),
|
||||
(validate_email, "example@atm.%s" % ("a" * 64), ValidationError),
|
||||
(validate_email, "example@%s.atm.%s" % ("b" * 64, "a" * 63), ValidationError),
|
||||
(validate_email, "example@%scom" % (("a" * 63 + ".") * 100), ValidationError),
|
||||
(validate_email, None, ValidationError),
|
||||
(validate_email, "", ValidationError),
|
||||
(validate_email, "abc", ValidationError),
|
||||
|
Loading…
Reference in New Issue
Block a user