Fixed CVE-2023-36053 -- Prevented potential ReDoS in EmailValidator and URLValidator.

Thanks Seokchan Yoon for reports.
2025-08-04 02:48:35 +00:00 · 2023-06-14 12:23:06 +02:00 · 2023-06-14 12:23:06 +02:00 · ad0410ec4f
commit ad0410ec4f
parent 7eeadc82c2
10 changed files with 73 additions and 15 deletions
--- a/docs/ref/forms/fields.txt
+++ b/docs/ref/forms/fields.txt
@ -596,7 +596,12 @@ For each field, we describe the default widget used if you don't specify
    * Error message keys: ``required``, ``invalid``

    Has the optional arguments ``max_length``, ``min_length``, and
-    ``empty_value`` which work just as they do for :class:`CharField`.
+    ``empty_value`` which work just as they do for :class:`CharField`. The
+    ``max_length`` argument defaults to 320 (see :rfc:`3696#section-3`).
+
+    .. versionchanged:: 3.2.20
+
+        The default value for ``max_length`` was changed to 320 characters.

 ``FileField``
 -------------
--- a/docs/ref/validators.txt
+++ b/docs/ref/validators.txt
@ -133,6 +133,11 @@ to, or in lieu of custom ``field.clean()`` methods.
    :param code: If not ``None``, overrides :attr:`code`.
    :param allowlist: If not ``None``, overrides :attr:`allowlist`.

+    An :class:`EmailValidator` ensures that a value looks like an email, and
+    raises a :exc:`~django.core.exceptions.ValidationError` with
+    :attr:`message` and :attr:`code` if it doesn't. Values longer than 320
+    characters are always considered invalid.
+
    .. attribute:: message

        The error message used by
@ -154,13 +159,19 @@ to, or in lieu of custom ``field.clean()`` methods.
        validation, so you'd need to add them to the ``allowlist`` as
        necessary.

+    .. versionchanged:: 3.2.20
+
+        In older versions, values longer than 320 characters could be
+        considered valid.
+
 ``URLValidator``
 ----------------

 .. class:: URLValidator(schemes=None, regex=None, message=None, code=None)

    A :class:`RegexValidator` subclass that ensures a value looks like a URL,
-    and raises an error code of ``'invalid'`` if it doesn't.
+    and raises an error code of ``'invalid'`` if it doesn't. Values longer than
+    :attr:`max_length` characters are always considered invalid.

    Loopback addresses and reserved IP spaces are considered valid. Literal
    IPv6 addresses (:rfc:`3986#section-3.2.2`) and Unicode domains are both
@ -177,6 +188,18 @@ to, or in lieu of custom ``field.clean()`` methods.

        .. _valid URI schemes: https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml

+    .. attribute:: max_length
+
+        .. versionadded:: 3.2.20
+
+        The maximum length of values that could be considered valid. Defaults
+        to 2048 characters.
+
+    .. versionchanged:: 3.2.20
+
+        In older versions, values longer than 2048 characters could be
+        considered valid.
+
 ``validate_email``
 ------------------