1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
|
From 32bc7fa517be1d50239827520cc13f3112d3d748 Mon Sep 17 00:00:00 2001
From: Mariusz Felisiak <felisiak.mariusz@gmail.com>
Date: Wed, 29 Nov 2023 12:49:41 +0000
Subject: [PATCH 2/2] Fixed CVE-2023-46695 -- Fixed potential DoS in
UsernameField on Windows.
Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
CVE: CVE-2023-46695
Upstream-Status: Backport [https://github.com/django/django/commit/f9a7fb8466a7ba4857eaf930099b5258f3eafb2b]
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
---
django/contrib/auth/forms.py | 10 +++++++++-
docs/releases/2.2.28.txt | 14 ++++++++++++++
tests/auth_tests/test_forms.py | 8 +++++++-
3 files changed, 30 insertions(+), 2 deletions(-)
diff --git a/django/contrib/auth/forms.py b/django/contrib/auth/forms.py
index e6f73fe..26d3ca7 100644
--- a/django/contrib/auth/forms.py
+++ b/django/contrib/auth/forms.py
@@ -68,7 +68,15 @@ class ReadOnlyPasswordHashField(forms.Field):
class UsernameField(forms.CharField):
def to_python(self, value):
- return unicodedata.normalize('NFKC', super().to_python(value))
+ value = super().to_python(value)
+ if self.max_length is not None and len(value) > self.max_length:
+ # Normalization can increase the string length (e.g.
+ # "ff" -> "ff", "½" -> "1⁄2") but cannot reduce it, so there is no
+ # point in normalizing invalid data. Moreover, Unicode
+ # normalization is very slow on Windows and can be a DoS attack
+ # vector.
+ return value
+ return unicodedata.normalize("NFKC", value)
class UserCreationForm(forms.ModelForm):
diff --git a/docs/releases/2.2.28.txt b/docs/releases/2.2.28.txt
index 6a38e9c..c653cb6 100644
--- a/docs/releases/2.2.28.txt
+++ b/docs/releases/2.2.28.txt
@@ -76,3 +76,17 @@ filters, which were thus also vulnerable.
The input processed by ``Truncator``, when operating in HTML mode, has been
limited to the first five million characters in order to avoid potential
performance and memory issues.
+
+Backporting the CVE-2023-46695 fix on Django 2.2.28.
+
+CVE-2023-46695: Potential denial of service vulnerability in ``UsernameField`` on Windows
+=========================================================================================
+
+The :func:`NFKC normalization <python:unicodedata.normalize>` is slow on
+Windows. As a consequence, ``django.contrib.auth.forms.UsernameField`` was
+subject to a potential denial of service attack via certain inputs with a very
+large number of Unicode characters.
+
+In order to avoid the vulnerability, invalid values longer than
+``UsernameField.max_length`` are no longer normalized, since they cannot pass
+validation anyway.
diff --git a/tests/auth_tests/test_forms.py b/tests/auth_tests/test_forms.py
index bed23af..e73d4b8 100644
--- a/tests/auth_tests/test_forms.py
+++ b/tests/auth_tests/test_forms.py
@@ -6,7 +6,7 @@ from django import forms
from django.contrib.auth.forms import (
AdminPasswordChangeForm, AuthenticationForm, PasswordChangeForm,
PasswordResetForm, ReadOnlyPasswordHashField, ReadOnlyPasswordHashWidget,
- SetPasswordForm, UserChangeForm, UserCreationForm,
+ SetPasswordForm, UserChangeForm, UserCreationForm, UsernameField,
)
from django.contrib.auth.models import User
from django.contrib.auth.signals import user_login_failed
@@ -132,6 +132,12 @@ class UserCreationFormTest(TestDataMixin, TestCase):
self.assertNotEqual(user.username, ohm_username)
self.assertEqual(user.username, 'testΩ') # U+03A9 GREEK CAPITAL LETTER OMEGA
+ def test_invalid_username_no_normalize(self):
+ field = UsernameField(max_length=254)
+ # Usernames are not normalized if they are too long.
+ self.assertEqual(field.to_python("½" * 255), "½" * 255)
+ self.assertEqual(field.to_python("ff" * 254), "ff" * 254)
+
def test_duplicate_normalized_unicode(self):
"""
To prevent almost identical usernames, visually identical but differing
--
2.40.0
|