[4.0.x] Fixed CVE-2021-45115 -- Prevented DoS vector in UserAttributeSimilarityValidator.

Thanks Chris Bailey for the report. Co-authored-by: Adam Johnson <me@adamj.eu>
2025-07-23 05:05:17 +00:00 · 2021-12-27 14:48:03 +01:00 · 2021-12-27 14:48:03 +01:00 · df79ef03ac
commit df79ef03ac
parent 7753169585
6 changed files with 92 additions and 15 deletions
--- a/docs/topics/auth/passwords.txt
+++ b/docs/topics/auth/passwords.txt
@ -609,10 +609,16 @@ Django includes four validators:
    is used: ``'username', 'first_name', 'last_name', 'email'``.
    Attributes that don't exist are ignored.

-    The minimum similarity of a rejected password can be set on a scale of 0 to
-    1 with the ``max_similarity`` parameter. A setting of 0 rejects all
-    passwords, whereas a setting of 1 rejects only passwords that are identical
-    to an attribute's value.
+    The maximum allowed similarity of passwords can be set on a scale of 0.1
+    to 1.0 with the ``max_similarity`` parameter. This is compared to the
+    result of :meth:`difflib.SequenceMatcher.quick_ratio`. A value of 0.1
+    rejects passwords unless they are substantially different from the
+    ``user_attributes``, whereas a value of 1.0 rejects only passwords that are
+    identical to an attribute's value.
+
+    .. versionchanged:: 2.2.26
+
+        The ``max_similarity`` parameter was limited to a minimum value of 0.1.

 .. class:: CommonPasswordValidator(password_list_path=DEFAULT_PASSWORD_LIST_PATH)