A RetroSearch Logo

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Search Query:

Showing content from https://github.com/django/django/commit/f9a7fb8466a7ba4857eaf930099b5258f3eafb2b below:

[3.2.x] Fixed CVE-2023-46695 -- Fixed potential DoS in UsernameField … · django/django@f9a7fb8 · GitHub

File tree Expand file treeCollapse file tree 3 files changed

+27

-3

lines changed

Filter options

Expand file treeCollapse file tree 3 files changed

+27

-3

lines changed Original file line number Diff line number Diff line change

@@ -62,7 +62,15 @@ def __init__(self, *args, **kwargs):

 62 62 63 63

class UsernameField(forms.CharField):

 64 64

def to_python(self, value):

 65 -

return unicodedata.normalize('NFKC', super().to_python(value))

 65 +

value = super().to_python(value)

 66 +

if self.max_length is not None and len(value) > self.max_length:

 67 +

# Normalization can increase the string length (e.g.

 68 +

# "ff" -> "ff", "½" -> "1⁄2") but cannot reduce it, so there is no

 69 +

# point in normalizing invalid data. Moreover, Unicode

 70 +

# normalization is very slow on Windows and can be a DoS attack

 71 +

# vector.

 72 +

return value

 73 +

return unicodedata.normalize("NFKC", value)

 66 74 67 75

def widget_attrs(self, widget):

 68 76

return {

 Original file line number Diff line number Diff line change

@@ -6,4 +6,14 @@ Django 3.2.23 release notes

 6 6 7 7

Django 3.2.23 fixes a security issue with severity "moderate" in 3.2.22.

 8 8 9 -

...

 9 +

CVE-2023-46695: Potential denial of service vulnerability in ``UsernameField`` on Windows

 10 +

=========================================================================================

 11 + 12 +

The :func:`NFKC normalization <python:unicodedata.normalize>` is slow on

 13 +

Windows. As a consequence, ``django.contrib.auth.forms.UsernameField`` was

 14 +

subject to a potential denial of service attack via certain inputs with a very

 15 +

large number of Unicode characters.

 16 + 17 +

In order to avoid the vulnerability, invalid values longer than

 18 +

``UsernameField.max_length`` are no longer normalized, since they cannot pass

 19 +

validation anyway.

 Original file line number Diff line number Diff line change

@@ -5,7 +5,7 @@

 5 5

from django.contrib.auth.forms import (

 6 6

AdminPasswordChangeForm, AuthenticationForm, PasswordChangeForm,

 7 7

PasswordResetForm, ReadOnlyPasswordHashField, ReadOnlyPasswordHashWidget,

 8 -

SetPasswordForm, UserChangeForm, UserCreationForm,

 8 +

SetPasswordForm, UserChangeForm, UserCreationForm, UsernameField,

 9 9

)

 10 10

from django.contrib.auth.models import User

 11 11

from django.contrib.auth.signals import user_login_failed

@@ -132,6 +132,12 @@ def test_normalize_username(self):

 132 132

self.assertNotEqual(user.username, ohm_username)

 133 133

self.assertEqual(user.username, 'testΩ') # U+03A9 GREEK CAPITAL LETTER OMEGA

 134 134 135 +

def test_invalid_username_no_normalize(self):

 136 +

field = UsernameField(max_length=254)

 137 +

# Usernames are not normalized if they are too long.

 138 +

self.assertEqual(field.to_python("½" * 255), "½" * 255)

 139 +

self.assertEqual(field.to_python("ff" * 254), "ff" * 254)

 140 + 135 141

def test_duplicate_normalized_unicode(self):

 136 142

"""

 137 143

To prevent almost identical usernames, visually identical but differing

You can’t perform that action at this time.

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4