From 32bc7fa517be1d50239827520cc13f3112d3d748 Mon Sep 17 00:00:00 2001 From: Mariusz Felisiak Date: Wed, 29 Nov 2023 12:49:41 +0000 Subject: [PATCH 2/2] Fixed CVE-2023-46695 -- Fixed potential DoS in UsernameField on Windows. Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report. CVE: CVE-2023-46695 Upstream-Status: Backport [https://github.com/django/django/commit/f9a7fb8466a7ba4857eaf930099b5258f3eafb2b] Signed-off-by: Narpat Mali --- django/contrib/auth/forms.py | 10 +++++++++- docs/releases/2.2.28.txt | 14 ++++++++++++++ tests/auth_tests/test_forms.py | 8 +++++++- 3 files changed, 30 insertions(+), 2 deletions(-) diff --git a/django/contrib/auth/forms.py b/django/contrib/auth/forms.py index e6f73fe..26d3ca7 100644 --- a/django/contrib/auth/forms.py +++ b/django/contrib/auth/forms.py @@ -68,7 +68,15 @@ class ReadOnlyPasswordHashField(forms.Field): class UsernameField(forms.CharField): def to_python(self, value): - return unicodedata.normalize('NFKC', super().to_python(value)) + value = super().to_python(value) + if self.max_length is not None and len(value) > self.max_length: + # Normalization can increase the string length (e.g. + # "ff" -> "ff", "½" -> "1⁄2") but cannot reduce it, so there is no + # point in normalizing invalid data. Moreover, Unicode + # normalization is very slow on Windows and can be a DoS attack + # vector. + return value + return unicodedata.normalize("NFKC", value) class UserCreationForm(forms.ModelForm): diff --git a/docs/releases/2.2.28.txt b/docs/releases/2.2.28.txt index 6a38e9c..c653cb6 100644 --- a/docs/releases/2.2.28.txt +++ b/docs/releases/2.2.28.txt @@ -76,3 +76,17 @@ filters, which were thus also vulnerable. The input processed by ``Truncator``, when operating in HTML mode, has been limited to the first five million characters in order to avoid potential performance and memory issues. + +Backporting the CVE-2023-46695 fix on Django 2.2.28. + +CVE-2023-46695: Potential denial of service vulnerability in ``UsernameField`` on Windows +========================================================================================= + +The :func:`NFKC normalization ` is slow on +Windows. As a consequence, ``django.contrib.auth.forms.UsernameField`` was +subject to a potential denial of service attack via certain inputs with a very +large number of Unicode characters. + +In order to avoid the vulnerability, invalid values longer than +``UsernameField.max_length`` are no longer normalized, since they cannot pass +validation anyway. diff --git a/tests/auth_tests/test_forms.py b/tests/auth_tests/test_forms.py index bed23af..e73d4b8 100644 --- a/tests/auth_tests/test_forms.py +++ b/tests/auth_tests/test_forms.py @@ -6,7 +6,7 @@ from django import forms from django.contrib.auth.forms import ( AdminPasswordChangeForm, AuthenticationForm, PasswordChangeForm, PasswordResetForm, ReadOnlyPasswordHashField, ReadOnlyPasswordHashWidget, - SetPasswordForm, UserChangeForm, UserCreationForm, + SetPasswordForm, UserChangeForm, UserCreationForm, UsernameField, ) from django.contrib.auth.models import User from django.contrib.auth.signals import user_login_failed @@ -132,6 +132,12 @@ class UserCreationFormTest(TestDataMixin, TestCase): self.assertNotEqual(user.username, ohm_username) self.assertEqual(user.username, 'testΩ') # U+03A9 GREEK CAPITAL LETTER OMEGA + def test_invalid_username_no_normalize(self): + field = UsernameField(max_length=254) + # Usernames are not normalized if they are too long. + self.assertEqual(field.to_python("½" * 255), "½" * 255) + self.assertEqual(field.to_python("ff" * 254), "ff" * 254) + def test_duplicate_normalized_unicode(self): """ To prevent almost identical usernames, visually identical but differing -- 2.40.0