+131
-14
lines changedFilter options
+131
-14
lines changed Original file line number Diff line number Diff line change
@@ -32,7 +32,7 @@
32 32
)
33 33
from django.utils.duration import duration_microseconds, duration_string
34 34
from django.utils.functional import Promise, cached_property
35 -
from django.utils.ipv6 import clean_ipv6_address
35 +
from django.utils.ipv6 import MAX_IPV6_ADDRESS_LENGTH, clean_ipv6_address
36 36
from django.utils.text import capfirst
37 37
from django.utils.translation import gettext_lazy as _
38 38
@@ -2228,7 +2228,7 @@ def __init__(
2228 2228
self.default_validators = validators.ip_address_validators(
2229 2229
protocol, unpack_ipv4
2230 2230
)
2231 -
kwargs["max_length"] = 39
2231 +
kwargs["max_length"] = MAX_IPV6_ADDRESS_LENGTH
2232 2232
super().__init__(verbose_name, name, *args, **kwargs)
2233 2233 2234 2234
def check(self, **kwargs):
@@ -2255,7 +2255,7 @@ def deconstruct(self):
2255 2255
kwargs["unpack_ipv4"] = self.unpack_ipv4
2256 2256
if self.protocol != "both":
2257 2257
kwargs["protocol"] = self.protocol
2258 -
if kwargs.get("max_length") == 39:
2258 +
if kwargs.get("max_length") == self.max_length:
2259 2259
del kwargs["max_length"]
2260 2260
return name, path, args, kwargs
2261 2261
@@ -46,7 +46,7 @@
46 46
from django.utils.dateparse import parse_datetime, parse_duration
47 47
from django.utils.deprecation import RemovedInDjango60Warning
48 48
from django.utils.duration import duration_string
49 -
from django.utils.ipv6 import clean_ipv6_address
49 +
from django.utils.ipv6 import MAX_IPV6_ADDRESS_LENGTH, clean_ipv6_address
50 50
from django.utils.regex_helper import _lazy_re_compile
51 51
from django.utils.translation import gettext_lazy as _
52 52
from django.utils.translation import ngettext_lazy
@@ -1303,14 +1303,17 @@ def __init__(self, *, protocol="both", unpack_ipv4=False, **kwargs):
1303 1303
self.default_validators = validators.ip_address_validators(
1304 1304
protocol, unpack_ipv4
1305 1305
)
1306 +
kwargs.setdefault("max_length", MAX_IPV6_ADDRESS_LENGTH)
1306 1307
super().__init__(**kwargs)
1307 1308 1308 1309
def to_python(self, value):
1309 1310
if value in self.empty_values:
1310 1311
return ""
1311 1312
value = value.strip()
1312 1313
if value and ":" in value:
1313 -
return clean_ipv6_address(value, self.unpack_ipv4)
1314 +
return clean_ipv6_address(
1315 +
value, self.unpack_ipv4, max_length=self.max_length
1316 +
)
1314 1317
return value
1315 1318 1316 1319
@@ -3,9 +3,22 @@
3 3
from django.core.exceptions import ValidationError
4 4
from django.utils.translation import gettext_lazy as _
5 5 6 +
MAX_IPV6_ADDRESS_LENGTH = 39
7 + 8 + 9 +
def _ipv6_address_from_str(ip_str, max_length=MAX_IPV6_ADDRESS_LENGTH):
10 +
if len(ip_str) > max_length:
11 +
raise ValueError(
12 +
f"Unable to convert {ip_str} to an IPv6 address (value too long)."
13 +
)
14 +
return ipaddress.IPv6Address(int(ipaddress.IPv6Address(ip_str)))
15 + 6 16 7 17
def clean_ipv6_address(
8 -
ip_str, unpack_ipv4=False, error_message=_("This is not a valid IPv6 address.")
18 +
ip_str,
19 +
unpack_ipv4=False,
20 +
error_message=_("This is not a valid IPv6 address."),
21 +
max_length=MAX_IPV6_ADDRESS_LENGTH,
9 22
):
10 23
"""
11 24
Clean an IPv6 address string.
@@ -24,7 +37,7 @@ def clean_ipv6_address(
24 37
Return a compressed IPv6 address or the same value.
25 38
"""
26 39
try:
27 -
addr = ipaddress.IPv6Address(int(ipaddress.IPv6Address(ip_str)))
40 +
addr = _ipv6_address_from_str(ip_str, max_length)
28 41
except ValueError:
29 42
raise ValidationError(
30 43
error_message, code="invalid", params={"protocol": _("IPv6")}
@@ -43,7 +56,7 @@ def is_valid_ipv6_address(ip_str):
43 56
Return whether or not the `ip_str` string is a valid IPv6 address.
44 57
"""
45 58
try:
46 -
ipaddress.IPv6Address(ip_str)
59 +
_ipv6_address_from_str(ip_str)
47 60
except ValueError:
48 61
return False
49 62
return True
Original file line number Diff line number Diff line change
@@ -773,15 +773,15 @@ For each field, we describe the default widget used if you don't specify
773 773
* Empty value: ``''`` (an empty string)
774 774
* Normalizes to: A string. IPv6 addresses are normalized as described below.
775 775
* Validates that the given value is a valid IP address.
776 -
* Error message keys: ``required``, ``invalid``
776 +
* Error message keys: ``required``, ``invalid``, ``max_length``
777 777 778 778
The IPv6 address normalization follows :rfc:`4291#section-2.2` section 2.2,
779 779
including using the IPv4 format suggested in paragraph 3 of that section, like
780 780
``::ffff:192.0.2.0``. For example, ``2001:0::0:01`` would be normalized to
781 781
``2001::1``, and ``::ffff:0a0a:0a0a`` to ``::ffff:10.10.10.10``. All characters
782 782
are converted to lowercase.
783 783 784 -
Takes two optional arguments:
784 +
Takes three optional arguments:
785 785 786 786
.. attribute:: protocol
787 787
@@ -796,6 +796,15 @@ For each field, we describe the default widget used if you don't specify
796 796
``192.0.2.1``. Default is disabled. Can only be used
797 797
when ``protocol`` is set to ``'both'``.
798 798 799 +
.. attribute:: max_length
800 + 801 +
Defaults to 39, and behaves the same way as it does for
802 +
:class:`CharField`.
803 + 804 +
.. versionchanged:: 4.2.18
805 + 806 +
The default value for ``max_length`` was set to 39 characters.
807 + 799 808
``ImageField``
800 809
--------------
801 810
@@ -5,3 +5,15 @@ Django 4.2.18 release notes
5 5
*January 14, 2025*
6 6 7 7
Django 4.2.18 fixes a security issue with severity "moderate" in 4.2.17.
8 + 9 +
CVE-2024-56374: Potential denial-of-service vulnerability in IPv6 validation
10 +
============================================================================
11 + 12 +
Lack of upper bound limit enforcement in strings passed when performing IPv6
13 +
validation could lead to a potential denial-of-service attack. The undocumented
14 +
and private functions ``clean_ipv6_address`` and ``is_valid_ipv6_address`` were
15 +
vulnerable, as was the :class:`django.forms.GenericIPAddressField` form field,
16 +
which has now been updated to define a ``max_length`` of 39 characters.
17 + 18 +
The :class:`django.db.models.GenericIPAddressField` model field was not
19 +
affected.
Original file line number Diff line number Diff line change
@@ -5,3 +5,15 @@ Django 5.0.11 release notes
5 5
*January 14, 2025*
6 6 7 7
Django 5.0.11 fixes a security issue with severity "moderate" in 5.0.10.
8 + 9 +
CVE-2024-56374: Potential denial-of-service vulnerability in IPv6 validation
10 +
============================================================================
11 + 12 +
Lack of upper bound limit enforcement in strings passed when performing IPv6
13 +
validation could lead to a potential denial-of-service attack. The undocumented
14 +
and private functions ``clean_ipv6_address`` and ``is_valid_ipv6_address`` were
15 +
vulnerable, as was the :class:`django.forms.GenericIPAddressField` form field,
16 +
which has now been updated to define a ``max_length`` of 39 characters.
17 + 18 +
The :class:`django.db.models.GenericIPAddressField` model field was not
19 +
affected.
Original file line number Diff line number Diff line change
@@ -7,6 +7,18 @@ Django 5.1.5 release notes
7 7
Django 5.1.5 fixes a security issue with severity "moderate" and one bug in
8 8
5.1.4.
9 9 10 +
CVE-2024-56374: Potential denial-of-service vulnerability in IPv6 validation
11 +
============================================================================
12 + 13 +
Lack of upper bound limit enforcement in strings passed when performing IPv6
14 +
validation could lead to a potential denial-of-service attack. The undocumented
15 +
and private functions ``clean_ipv6_address`` and ``is_valid_ipv6_address`` were
16 +
vulnerable, as was the :class:`django.forms.GenericIPAddressField` form field,
17 +
which has now been updated to define a ``max_length`` of 39 characters.
18 + 19 +
The :class:`django.db.models.GenericIPAddressField` model field was not
20 +
affected.
21 + 10 22
Bugfixes
11 23
========
12 24
@@ -1,6 +1,7 @@
1 1
from django.core.exceptions import ValidationError
2 2
from django.forms import GenericIPAddressField
3 3
from django.test import SimpleTestCase
4 +
from django.utils.ipv6 import MAX_IPV6_ADDRESS_LENGTH
4 5 5 6 6 7
class GenericIPAddressFieldTest(SimpleTestCase):
@@ -125,6 +126,35 @@ def test_generic_ipaddress_as_ipv6_only(self):
125 126
):
126 127
f.clean("1:2")
127 128 129 +
def test_generic_ipaddress_max_length_custom(self):
130 +
# Valid IPv4-mapped IPv6 address, len 45.
131 +
addr = "0000:0000:0000:0000:0000:ffff:192.168.100.228"
132 +
f = GenericIPAddressField(max_length=len(addr))
133 +
f.clean(addr)
134 + 135 +
def test_generic_ipaddress_max_length_validation_error(self):
136 +
# Valid IPv4-mapped IPv6 address, len 45.
137 +
addr = "0000:0000:0000:0000:0000:ffff:192.168.100.228"
138 + 139 +
cases = [
140 +
({}, MAX_IPV6_ADDRESS_LENGTH), # Default value.
141 +
({"max_length": len(addr) - 1}, len(addr) - 1),
142 +
]
143 +
for kwargs, max_length in cases:
144 +
max_length_plus_one = max_length + 1
145 +
msg = (
146 +
f"Ensure this value has at most {max_length} characters (it has "
147 +
f"{max_length_plus_one}).'"
148 +
)
149 +
with self.subTest(max_length=max_length):
150 +
f = GenericIPAddressField(**kwargs)
151 +
with self.assertRaisesMessage(ValidationError, msg):
152 +
f.clean("x" * max_length_plus_one)
153 +
with self.assertRaisesMessage(
154 +
ValidationError, "This is not a valid IPv6 address."
155 +
):
156 +
f.clean(addr)
157 + 128 158
def test_generic_ipaddress_as_generic_not_required(self):
129 159
f = GenericIPAddressField(required=False)
130 160
self.assertEqual(f.clean(""), "")
@@ -150,7 +180,8 @@ def test_generic_ipaddress_as_generic_not_required(self):
150 180
f.clean(" fe80::223:6cff:fe8a:2e8a "), "fe80::223:6cff:fe8a:2e8a"
151 181
)
152 182
self.assertEqual(
153 -
f.clean(" 2a02::223:6cff:fe8a:2e8a "), "2a02::223:6cff:fe8a:2e8a"
183 +
f.clean(" " * MAX_IPV6_ADDRESS_LENGTH + " 2a02::223:6cff:fe8a:2e8a "),
184 +
"2a02::223:6cff:fe8a:2e8a",
154 185
)
155 186
with self.assertRaisesMessage(
156 187
ValidationError, "'This is not a valid IPv6 address.'"
@@ -1,9 +1,16 @@
1 -
import unittest
1 +
import traceback
2 +
from io import StringIO
2 3 3 -
from django.utils.ipv6 import clean_ipv6_address, is_valid_ipv6_address
4 +
from django.core.exceptions import ValidationError
5 +
from django.test import SimpleTestCase
6 +
from django.utils.ipv6 import (
7 +
MAX_IPV6_ADDRESS_LENGTH,
8 +
clean_ipv6_address,
9 +
is_valid_ipv6_address,
10 +
)
4 11 5 12 6 -
class TestUtilsIPv6(unittest.TestCase):
13 +
class TestUtilsIPv6(SimpleTestCase):
7 14
def test_validates_correct_plain_address(self):
8 15
self.assertTrue(is_valid_ipv6_address("fe80::223:6cff:fe8a:2e8a"))
9 16
self.assertTrue(is_valid_ipv6_address("2a02::223:6cff:fe8a:2e8a"))
@@ -64,3 +71,21 @@ def test_unpacks_ipv4(self):
64 71
self.assertEqual(
65 72
clean_ipv6_address("::ffff:18.52.18.52", unpack_ipv4=True), "18.52.18.52"
66 73
)
74 + 75 +
def test_address_too_long(self):
76 +
addresses = [
77 +
"0000:0000:0000:0000:0000:ffff:192.168.100.228", # IPv4-mapped IPv6 address
78 +
"0000:0000:0000:0000:0000:ffff:192.168.100.228%123456", # % scope/zone
79 +
"fe80::223:6cff:fe8a:2e8a:1234:5678:00000", # MAX_IPV6_ADDRESS_LENGTH + 1
80 +
]
81 +
msg = "This is the error message."
82 +
value_error_msg = "Unable to convert %s to an IPv6 address (value too long)."
83 +
for addr in addresses:
84 +
with self.subTest(addr=addr):
85 +
self.assertGreater(len(addr), MAX_IPV6_ADDRESS_LENGTH)
86 +
self.assertEqual(is_valid_ipv6_address(addr), False)
87 +
with self.assertRaisesMessage(ValidationError, msg) as ctx:
88 +
clean_ipv6_address(addr, error_message=msg)
89 +
exception_traceback = StringIO()
90 +
traceback.print_exception(ctx.exception, file=exception_traceback)
91 +
self.assertIn(value_error_msg % addr, exception_traceback.getvalue())
You can’t perform that action at this time.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4