[3.2.x] Fixed CVE-2023-36053 -- Prevented potential ReDoS in EmailValidator and URLValidator.

Thanks Seokchan Yoon for reports.

Author: felixxm

django/core/validators.py

@@ -93,14 +93,15 @@ class URLValidator(RegexValidator):
     message = _('Enter a valid URL.')
     schemes = ['http', 'https', 'ftp', 'ftps']
     unsafe_chars = frozenset('\t\r\n')
+    max_length = 2048
 
     def __init__(self, schemes=None, **kwargs):
         super().__init__(**kwargs)
         if schemes is not None:
             self.schemes = schemes
 
     def __call__(self, value):
-        if not isinstance(value, str):
+        if not isinstance(value, str) or len(value) > self.max_length:
             raise ValidationError(self.message, code=self.code, params={'value': value})
         if self.unsafe_chars.intersection(value):
             raise ValidationError(self.message, code=self.code, params={'value': value})
@@ -210,7 +211,9 @@ def __init__(self, message=None, code=None, allowlist=None, *, whitelist=None):
             self.domain_allowlist = allowlist
 
     def __call__(self, value):
-        if not value or '@' not in value:
+        # The maximum length of an email is 320 characters per RFC 3696
+        # section 3.
+        if not value or '@' not in value or len(value) > 320:
             raise ValidationError(self.message, code=self.code, params={'value': value})
 
         user_part, domain_part = value.rsplit('@', 1)

django/forms/fields.py

@@ -540,6 +540,9 @@ class EmailField(CharField):
     default_validators = [validators.validate_email]
 
     def __init__(self, **kwargs):
+        # The default maximum length of an email is 320 characters per RFC 3696
+        # section 3.
+        kwargs.setdefault("max_length", 320)
         super().__init__(strip=True, **kwargs)
 
 

docs/ref/forms/fields.txt

@@ -592,7 +592,12 @@ For each field, we describe the default widget used if you don't specify
     * Error message keys: ``required``, ``invalid``
 
     Has three optional arguments ``max_length``, ``min_length``, and
-    ``empty_value`` which work just as they do for :class:`CharField`.
+    ``empty_value`` which work just as they do for :class:`CharField`. The
+    ``max_length`` argument defaults to 320 (see :rfc:`3696#section-3`).
+
+    .. versionchanged:: 3.2.20
+
+        The default value for ``max_length`` was changed to 320 characters.
 
 ``FileField``
 -------------

docs/ref/validators.txt

@@ -130,6 +130,11 @@ to, or in lieu of custom ``field.clean()`` methods.
     :param code: If not ``None``, overrides :attr:`code`.
     :param allowlist: If not ``None``, overrides :attr:`allowlist`.
 
+    An :class:`EmailValidator` ensures that a value looks like an email, and
+    raises a :exc:`~django.core.exceptions.ValidationError` with
+    :attr:`message` and :attr:`code` if it doesn't. Values longer than 320
+    characters are always considered invalid.
+
     .. attribute:: message
 
         The error message used by
@@ -158,13 +163,19 @@ to, or in lieu of custom ``field.clean()`` methods.
         The undocumented ``domain_whitelist`` attribute is deprecated. Use
         ``domain_allowlist`` instead.
 
+    .. versionchanged:: 3.2.20
+
+        In older versions, values longer than 320 characters could be
+        considered valid.
+
 ``URLValidator``
 ----------------
 
 .. class:: URLValidator(schemes=None, regex=None, message=None, code=None)
 
     A :class:`RegexValidator` subclass that ensures a value looks like a URL,
-    and raises an error code of ``'invalid'`` if it doesn't.
+    and raises an error code of ``'invalid'`` if it doesn't. Values longer than
+    :attr:`max_length` characters are always considered invalid.
 
     Loopback addresses and reserved IP spaces are considered valid. Literal
     IPv6 addresses (:rfc:`3986#section-3.2.2`) and Unicode domains are both
@@ -181,6 +192,18 @@ to, or in lieu of custom ``field.clean()`` methods.
 
         .. _valid URI schemes: https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml
 
+    .. attribute:: max_length
+
+        .. versionadded:: 3.2.20
+
+        The maximum length of values that could be considered valid. Defaults
+        to 2048 characters.
+
+    .. versionchanged:: 3.2.20
+
+        In older versions, values longer than 2048 characters could be
+        considered valid.
+
 ``validate_email``
 ------------------
 

docs/releases/3.2.20.txt

@@ -6,4 +6,9 @@ Django 3.2.20 release notes
 
 Django 3.2.20 fixes a security issue with severity "moderate" in 3.2.19.
 
-...
+CVE-2023-36053: Potential regular expression denial of service vulnerability in ``EmailValidator``/``URLValidator``
+===================================================================================================================
+
+``EmailValidator`` and ``URLValidator`` were subject to potential regular
+expression denial of service attack via a very large number of domain name
+labels of emails and URLs.

tests/forms_tests/field_tests/test_emailfield.py

@@ -9,7 +9,10 @@ class EmailFieldTest(FormFieldAssertionsMixin, SimpleTestCase):
 
     def test_emailfield_1(self):
         f = EmailField()
-        self.assertWidgetRendersTo(f, '<input type="email" name="f" id="id_f" required>')
+        self.assertEqual(f.max_length, 320)
+        self.assertWidgetRendersTo(
+            f, '<input type="email" name="f" id="id_f" maxlength="320" required>'
+        )
         with self.assertRaisesMessage(ValidationError, "'This field is required.'"):
             f.clean('')
         with self.assertRaisesMessage(ValidationError, "'This field is required.'"):

tests/forms_tests/tests/test_forms.py

@@ -422,11 +422,18 @@ class SignupForm(Form):
             get_spam = BooleanField()
 
         f = SignupForm(auto_id=False)
-        self.assertHTMLEqual(str(f['email']), '<input type="email" name="email" required>')
+        self.assertHTMLEqual(
+            str(f["email"]),
+            '<input type="email" name="email" maxlength="320" required>',
+        )
         self.assertHTMLEqual(str(f['get_spam']), '<input type="checkbox" name="get_spam" required>')
 
         f = SignupForm({'email': 'test@example.com', 'get_spam': True}, auto_id=False)
-        self.assertHTMLEqual(str(f['email']), '<input type="email" name="email" value="test@example.com" required>')
+        self.assertHTMLEqual(
+            str(f["email"]),
+            '<input type="email" name="email" maxlength="320" value="test@example.com" '
+            "required>",
+        )
         self.assertHTMLEqual(
             str(f['get_spam']),
             '<input checked type="checkbox" name="get_spam" required>',
@@ -2824,7 +2831,7 @@ class Person(Form):
 <option value="true">Yes</option>
 <option value="false">No</option>
 </select></li>
-<li><label for="id_email">Email:</label> <input type="email" name="email" id="id_email"></li>
+<li><label for="id_email">Email:</label> <input type="email" name="email" id="id_email" maxlength="320"></li>
 <li class="required error"><ul class="errorlist"><li>This field is required.</li></ul>
 <label class="required" for="id_age">Age:</label> <input type="number" name="age" id="id_age" required></li>"""
         )
@@ -2840,7 +2847,7 @@ class Person(Form):
 <option value="true">Yes</option>
 <option value="false">No</option>
 </select></p>
-<p><label for="id_email">Email:</label> <input type="email" name="email" id="id_email"></p>
+<p><label for="id_email">Email:</label> <input type="email" name="email" id="id_email" maxlength="320"></p>
 <ul class="errorlist"><li>This field is required.</li></ul>
 <p class="required error"><label class="required" for="id_age">Age:</label>
 <input type="number" name="age" id="id_age" required></p>"""
@@ -2859,7 +2866,7 @@ class Person(Form):
 <option value="false">No</option>
 </select></td></tr>
 <tr><th><label for="id_email">Email:</label></th><td>
-<input type="email" name="email" id="id_email"></td></tr>
+<input type="email" name="email" id="id_email" maxlength="320"></td></tr>
 <tr class="required error"><th><label class="required" for="id_age">Age:</label></th>
 <td><ul class="errorlist"><li>This field is required.</li></ul>
 <input type="number" name="age" id="id_age" required></td></tr>"""
@@ -3489,7 +3496,7 @@ class CommentForm(Form):
         f = CommentForm(data, auto_id=False, error_class=DivErrorList)
         self.assertHTMLEqual(f.as_p(), """<p>Name: <input type="text" name="name" maxlength="50"></p>
 <div class="errorlist"><div class="error">Enter a valid email address.</div></div>
-<p>Email: <input type="email" name="email" value="invalid" required></p>
+<p>Email: <input type="email" name="email" value="invalid" maxlength="320" required></p>
 <div class="errorlist"><div class="error">This field is required.</div></div>
 <p>Comment: <input type="text" name="comment" required></p>""")
 

tests/validators/tests.py

@@ -59,6 +59,7 @@
 
     (validate_email, 'example@atm.%s' % ('a' * 64), ValidationError),
     (validate_email, 'example@%s.atm.%s' % ('b' * 64, 'a' * 63), ValidationError),
+    (validate_email, "example@%scom" % (("a" * 63 + ".") * 100), ValidationError),
     (validate_email, None, ValidationError),
     (validate_email, '', ValidationError),
     (validate_email, 'abc', ValidationError),
@@ -246,6 +247,16 @@
     (URLValidator(), None, ValidationError),
     (URLValidator(), 56, ValidationError),
     (URLValidator(), 'no_scheme', ValidationError),
+    (
+        URLValidator(),
+        "http://example." + ("a" * 63 + ".") * 1000 + "com",
+        ValidationError,
+    ),
+    (
+        URLValidator(),
+        "http://userid:password" + "d" * 2000 + "@example.aaaaaaaaaaaaa.com",
+        None,
+    ),
     # Newlines and tabs are not accepted.
     (URLValidator(), 'http://www.djangoproject.com/\n', ValidationError),
     (URLValidator(), 'http://[::ffff:192.9.5.5]\n', ValidationError),