mirror of https://github.com/django/django.git
Fixed CVE-2023-46695 -- Fixed potential DoS in UsernameField on Windows.
Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
This commit is contained in:
parent
40b3975e7d
commit
05ba4130ee
|
@ -71,7 +71,15 @@ class ReadOnlyPasswordHashField(forms.Field):
|
||||||
|
|
||||||
class UsernameField(forms.CharField):
|
class UsernameField(forms.CharField):
|
||||||
def to_python(self, value):
|
def to_python(self, value):
|
||||||
return unicodedata.normalize("NFKC", super().to_python(value))
|
value = super().to_python(value)
|
||||||
|
if self.max_length is not None and len(value) > self.max_length:
|
||||||
|
# Normalization can increase the string length (e.g.
|
||||||
|
# "ff" -> "ff", "½" -> "1⁄2") but cannot reduce it, so there is no
|
||||||
|
# point in normalizing invalid data. Moreover, Unicode
|
||||||
|
# normalization is very slow on Windows and can be a DoS attack
|
||||||
|
# vector.
|
||||||
|
return value
|
||||||
|
return unicodedata.normalize("NFKC", value)
|
||||||
|
|
||||||
def widget_attrs(self, widget):
|
def widget_attrs(self, widget):
|
||||||
return {
|
return {
|
||||||
|
|
|
@ -6,4 +6,14 @@ Django 3.2.23 release notes
|
||||||
|
|
||||||
Django 3.2.23 fixes a security issue with severity "moderate" in 3.2.22.
|
Django 3.2.23 fixes a security issue with severity "moderate" in 3.2.22.
|
||||||
|
|
||||||
...
|
CVE-2023-46695: Potential denial of service vulnerability in ``UsernameField`` on Windows
|
||||||
|
=========================================================================================
|
||||||
|
|
||||||
|
The :func:`NFKC normalization <python:unicodedata.normalize>` is slow on
|
||||||
|
Windows. As a consequence, ``django.contrib.auth.forms.UsernameField`` was
|
||||||
|
subject to a potential denial of service attack via certain inputs with a very
|
||||||
|
large number of Unicode characters.
|
||||||
|
|
||||||
|
In order to avoid the vulnerability, invalid values longer than
|
||||||
|
``UsernameField.max_length`` are no longer normalized, since they cannot pass
|
||||||
|
validation anyway.
|
||||||
|
|
|
@ -6,4 +6,14 @@ Django 4.1.13 release notes
|
||||||
|
|
||||||
Django 4.1.13 fixes a security issue with severity "moderate" in 4.1.12.
|
Django 4.1.13 fixes a security issue with severity "moderate" in 4.1.12.
|
||||||
|
|
||||||
...
|
CVE-2023-46695: Potential denial of service vulnerability in ``UsernameField`` on Windows
|
||||||
|
=========================================================================================
|
||||||
|
|
||||||
|
The :func:`NFKC normalization <python:unicodedata.normalize>` is slow on
|
||||||
|
Windows. As a consequence, ``django.contrib.auth.forms.UsernameField`` was
|
||||||
|
subject to a potential denial of service attack via certain inputs with a very
|
||||||
|
large number of Unicode characters.
|
||||||
|
|
||||||
|
In order to avoid the vulnerability, invalid values longer than
|
||||||
|
``UsernameField.max_length`` are no longer normalized, since they cannot pass
|
||||||
|
validation anyway.
|
||||||
|
|
|
@ -7,6 +7,18 @@ Django 4.2.7 release notes
|
||||||
Django 4.2.7 fixes a security issue with severity "moderate" and several bugs
|
Django 4.2.7 fixes a security issue with severity "moderate" and several bugs
|
||||||
in 4.2.6.
|
in 4.2.6.
|
||||||
|
|
||||||
|
CVE-2023-46695: Potential denial of service vulnerability in ``UsernameField`` on Windows
|
||||||
|
=========================================================================================
|
||||||
|
|
||||||
|
The :func:`NFKC normalization <python:unicodedata.normalize>` is slow on
|
||||||
|
Windows. As a consequence, ``django.contrib.auth.forms.UsernameField`` was
|
||||||
|
subject to a potential denial of service attack via certain inputs with a very
|
||||||
|
large number of Unicode characters.
|
||||||
|
|
||||||
|
In order to avoid the vulnerability, invalid values longer than
|
||||||
|
``UsernameField.max_length`` are no longer normalized, since they cannot pass
|
||||||
|
validation anyway.
|
||||||
|
|
||||||
Bugfixes
|
Bugfixes
|
||||||
========
|
========
|
||||||
|
|
||||||
|
|
|
@ -14,6 +14,7 @@ from django.contrib.auth.forms import (
|
||||||
SetPasswordForm,
|
SetPasswordForm,
|
||||||
UserChangeForm,
|
UserChangeForm,
|
||||||
UserCreationForm,
|
UserCreationForm,
|
||||||
|
UsernameField,
|
||||||
)
|
)
|
||||||
from django.contrib.auth.models import User
|
from django.contrib.auth.models import User
|
||||||
from django.contrib.auth.signals import user_login_failed
|
from django.contrib.auth.signals import user_login_failed
|
||||||
|
@ -154,6 +155,12 @@ class BaseUserCreationFormTest(TestDataMixin, TestCase):
|
||||||
self.assertNotEqual(user.username, ohm_username)
|
self.assertNotEqual(user.username, ohm_username)
|
||||||
self.assertEqual(user.username, "testΩ") # U+03A9 GREEK CAPITAL LETTER OMEGA
|
self.assertEqual(user.username, "testΩ") # U+03A9 GREEK CAPITAL LETTER OMEGA
|
||||||
|
|
||||||
|
def test_invalid_username_no_normalize(self):
|
||||||
|
field = UsernameField(max_length=254)
|
||||||
|
# Usernames are not normalized if they are too long.
|
||||||
|
self.assertEqual(field.to_python("½" * 255), "½" * 255)
|
||||||
|
self.assertEqual(field.to_python("ff" * 254), "ff" * 254)
|
||||||
|
|
||||||
def test_duplicate_normalized_unicode(self):
|
def test_duplicate_normalized_unicode(self):
|
||||||
"""
|
"""
|
||||||
To prevent almost identical usernames, visually identical but differing
|
To prevent almost identical usernames, visually identical but differing
|
||||||
|
|
Loading…
Reference in New Issue