Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 048a9eb

Browse files
felixxmfelixxm
committed
[4.2.x] Fixed CVE-2023-46695 -- Fixed potential DoS in UsernameField on Windows.
Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
1 parent 3fae5d9 commit 048a9eb

File tree

5 files changed

+50
-3
lines changed

5 files changed

+50
-3
lines changed

django/contrib/auth/forms.py

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -71,7 +71,15 @@ def __init__(self, *args, **kwargs):
7171

7272
class UsernameField(forms.CharField):
7373
def to_python(self, value):
74-
return unicodedata.normalize("NFKC", super().to_python(value))
74+
value = super().to_python(value)
75+
if self.max_length is not None and len(value) > self.max_length:
76+
# Normalization can increase the string length (e.g.
77+
# "ff" -> "ff", "½" -> "1⁄2") but cannot reduce it, so there is no
78+
# point in normalizing invalid data. Moreover, Unicode
79+
# normalization is very slow on Windows and can be a DoS attack
80+
# vector.
81+
return value
82+
return unicodedata.normalize("NFKC", value)
7583

7684
def widget_attrs(self, widget):
7785
return {

docs/releases/3.2.23.txt

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,4 +6,14 @@ Django 3.2.23 release notes
66

77
Django 3.2.23 fixes a security issue with severity "moderate" in 3.2.22.
88

9-
...
9+
CVE-2023-46695: Potential denial of service vulnerability in ``UsernameField`` on Windows
10+
=========================================================================================
11+
12+
The :func:`NFKC normalization <python:unicodedata.normalize>` is slow on
13+
Windows. As a consequence, ``django.contrib.auth.forms.UsernameField`` was
14+
subject to a potential denial of service attack via certain inputs with a very
15+
large number of Unicode characters.
16+
17+
In order to avoid the vulnerability, invalid values longer than
18+
``UsernameField.max_length`` are no longer normalized, since they cannot pass
19+
validation anyway.

docs/releases/4.1.13.txt

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,4 +6,14 @@ Django 4.1.13 release notes
66

77
Django 4.1.13 fixes a security issue with severity "moderate" in 4.1.12.
88

9-
...
9+
CVE-2023-46695: Potential denial of service vulnerability in ``UsernameField`` on Windows
10+
=========================================================================================
11+
12+
The :func:`NFKC normalization <python:unicodedata.normalize>` is slow on
13+
Windows. As a consequence, ``django.contrib.auth.forms.UsernameField`` was
14+
subject to a potential denial of service attack via certain inputs with a very
15+
large number of Unicode characters.
16+
17+
In order to avoid the vulnerability, invalid values longer than
18+
``UsernameField.max_length`` are no longer normalized, since they cannot pass
19+
validation anyway.

docs/releases/4.2.7.txt

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,18 @@ Django 4.2.7 release notes
77
Django 4.2.7 fixes a security issue with severity "moderate" and several bugs
88
in 4.2.6.
99

10+
CVE-2023-46695: Potential denial of service vulnerability in ``UsernameField`` on Windows
11+
=========================================================================================
12+
13+
The :func:`NFKC normalization <python:unicodedata.normalize>` is slow on
14+
Windows. As a consequence, ``django.contrib.auth.forms.UsernameField`` was
15+
subject to a potential denial of service attack via certain inputs with a very
16+
large number of Unicode characters.
17+
18+
In order to avoid the vulnerability, invalid values longer than
19+
``UsernameField.max_length`` are no longer normalized, since they cannot pass
20+
validation anyway.
21+
1022
Bugfixes
1123
========
1224

tests/auth_tests/test_forms.py

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,7 @@
1414
SetPasswordForm,
1515
UserChangeForm,
1616
UserCreationForm,
17+
UsernameField,
1718
)
1819
from django.contrib.auth.models import User
1920
from django.contrib.auth.signals import user_login_failed
@@ -154,6 +155,12 @@ def test_normalize_username(self):
154155
self.assertNotEqual(user.username, ohm_username)
155156
self.assertEqual(user.username, "testΩ") # U+03A9 GREEK CAPITAL LETTER OMEGA
156157

158+
def test_invalid_username_no_normalize(self):
159+
field = UsernameField(max_length=254)
160+
# Usernames are not normalized if they are too long.
161+
self.assertEqual(field.to_python("½" * 255), "½" * 255)
162+
self.assertEqual(field.to_python("ff" * 254), "ff" * 254)
163+
157164
def test_duplicate_normalized_unicode(self):
158165
"""
159166
To prevent almost identical usernames, visually identical but differing

0 commit comments

Comments
 (0)