packages/python-django
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
python-django/CVE-2023-46695.patch
starlet-dx 10b8226082 Fix CVE-2023-46695
2023-11-06 14:06:02 +08:00

62 lines
2.5 KiB
Diff
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

From 048a9ebb6ea468426cb4e57c71572cbbd975517f Mon Sep 17 00:00:00 2001
From: Mariusz Felisiak <felisiak.mariusz@gmail.com>
Date: Tue, 17 Oct 2023 11:48:32 +0200
Subject: [PATCH] [4.2.x] Fixed CVE-2023-46695 -- Fixed potential DoS in
UsernameField on Windows.
Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
---
django/contrib/auth/forms.py | 10 +++++++++-
tests/auth_tests/test_forms.py | 7 +++++++
2 files changed, 16 insertions(+), 1 deletion(-)
diff --git a/django/contrib/auth/forms.py b/django/contrib/auth/forms.py
index eaae0bf..061dc81 100644
--- a/django/contrib/auth/forms.py
+++ b/django/contrib/auth/forms.py
@@ -71,7 +71,15 @@ class ReadOnlyPasswordHashField(forms.Field):
class UsernameField(forms.CharField):
def to_python(self, value):
- return unicodedata.normalize("NFKC", super().to_python(value))
+ value = super().to_python(value)
+ if self.max_length is not None and len(value) > self.max_length:
+ # Normalization can increase the string length (e.g.
+ # "ff" -> "ff", "½" -> "12") but cannot reduce it, so there is no
+ # point in normalizing invalid data. Moreover, Unicode
+ # normalization is very slow on Windows and can be a DoS attack
+ # vector.
+ return value
+ return unicodedata.normalize("NFKC", value)
def widget_attrs(self, widget):
return {
diff --git a/tests/auth_tests/test_forms.py b/tests/auth_tests/test_forms.py
index 7a80adb..81c56a4 100644
--- a/tests/auth_tests/test_forms.py
+++ b/tests/auth_tests/test_forms.py
@@ -14,6 +14,7 @@ from django.contrib.auth.forms import (
SetPasswordForm,
UserChangeForm,
UserCreationForm,
+ UsernameField,
)
from django.contrib.auth.models import User
from django.contrib.auth.signals import user_login_failed
@@ -154,6 +155,12 @@ class BaseUserCreationFormTest(TestDataMixin, TestCase):
self.assertNotEqual(user.username, ohm_username)
self.assertEqual(user.username, "testΩ") # U+03A9 GREEK CAPITAL LETTER OMEGA
+ def test_invalid_username_no_normalize(self):
+ field = UsernameField(max_length=254)
+ # Usernames are not normalized if they are too long.
+ self.assertEqual(field.to_python("½" * 255), "½" * 255)
+ self.assertEqual(field.to_python("ff" * 254), "ff" * 254)
+
def test_duplicate_normalized_unicode(self):
"""
To prevent almost identical usernames, visually identical but differing
--
2.30.0
Reference in New Issue View Git Blame Copy Permalink