Fixed CVE-2023-36053 -- Prevented potential ReDoS in EmailValidator and URLValidator.

Thanks Seokchan Yoon for reports.
2026-02-09 02:49:25 +08:00 · 2023-06-14 12:23:06 +02:00
parent 7eeadc82c2
commit ad0410ec4f
10 changed files with 73 additions and 15 deletions
--- a/tests/forms_tests/field_tests/test_emailfield.py
+++ b/tests/forms_tests/field_tests/test_emailfield.py
@@ -8,8 +8,9 @@ from . import FormFieldAssertionsMixin
 class EmailFieldTest(FormFieldAssertionsMixin, SimpleTestCase):
    def test_emailfield_1(self):
        f = EmailField()
+        self.assertEqual(f.max_length, 320)
        self.assertWidgetRendersTo(
-            f, '<input type="email" name="f" id="id_f" required>'
+            f, '<input type="email" name="f" id="id_f" maxlength="320" required>'
        )
        with self.assertRaisesMessage(ValidationError, "'This field is required.'"):
            f.clean("")
--- a/tests/forms_tests/tests/test_forms.py
+++ b/tests/forms_tests/tests/test_forms.py
@@ -546,7 +546,8 @@ class FormsTestCase(SimpleTestCase):

        f = SignupForm(auto_id=False)
        self.assertHTMLEqual(
-            str(f["email"]), '<input type="email" name="email" required>'
+            str(f["email"]),
+            '<input type="email" name="email" maxlength="320" required>',
        )
        self.assertHTMLEqual(
            str(f["get_spam"]), '<input type="checkbox" name="get_spam" required>'
@@ -555,7 +556,8 @@ class FormsTestCase(SimpleTestCase):
        f = SignupForm({"email": "test@example.com", "get_spam": True}, auto_id=False)
        self.assertHTMLEqual(
            str(f["email"]),
-            '<input type="email" name="email" value="test@example.com" required>',
+            '<input type="email" name="email" maxlength="320" value="test@example.com" '
+            "required>",
        )
        self.assertHTMLEqual(
            str(f["get_spam"]),
@@ -3521,7 +3523,7 @@ Options: <select multiple name="options" required>
            <option value="false">No</option>
            </select></li>
            <li><label for="id_email">Email:</label>
-            <input type="email" name="email" id="id_email"></li>
+            <input type="email" name="email" id="id_email" maxlength="320"></li>
            <li class="required error"><ul class="errorlist">
            <li>This field is required.</li></ul>
            <label class="required" for="id_age">Age:</label>
@@ -3543,7 +3545,7 @@ Options: <select multiple name="options" required>
            <option value="false">No</option>
            </select></p>
            <p><label for="id_email">Email:</label>
-            <input type="email" name="email" id="id_email"></p>
+            <input type="email" name="email" id="id_email" maxlength="320"></p>
            <ul class="errorlist"><li>This field is required.</li></ul>
            <p class="required error"><label class="required" for="id_age">Age:</label>
            <input type="number" name="age" id="id_age" required></p>
@@ -3563,7 +3565,7 @@ Options: <select multiple name="options" required>
 <option value="false">No</option>
 </select></td></tr>
 <tr><th><label for="id_email">Email:</label></th><td>
-<input type="email" name="email" id="id_email"></td></tr>
+<input type="email" name="email" id="id_email" maxlength="320"></td></tr>
 <tr class="required error"><th><label class="required" for="id_age">Age:</label></th>
 <td><ul class="errorlist"><li>This field is required.</li></ul>
 <input type="number" name="age" id="id_age" required></td></tr>""",
@@ -3578,7 +3580,7 @@ Options: <select multiple name="options" required>
            '<option value="unknown" selected>Unknown</option>'
            '<option value="true">Yes</option><option value="false">No</option>'
            '</select></div><div><label for="id_email">Email:</label>'
-            '<input type="email" name="email" id="id_email" /></div>'
+            '<input type="email" name="email" id="id_email" maxlength="320"/></div>'
            '<div class="required error"><label for="id_age" class="required">Age:'
            '</label><ul class="errorlist"><li>This field is required.</li></ul>'
            '<input type="number" name="age" required id="id_age" /></div>',
@@ -5094,8 +5096,9 @@ class OverrideTests(SimpleTestCase):
            '<p>Name: <input type="text" name="name" maxlength="50"></p>'
            '<div class="errorlist">'
            '<div class="error">Enter a valid email address.</div></div>'
-            '<p>Email: <input type="email" name="email" value="invalid" required></p>'
-            '<div class="errorlist">'
+            "<p>Email: "
+            '<input type="email" name="email" value="invalid" maxlength="320" required>'
+            '</p><div class="errorlist">'
            '<div class="error">This field is required.</div></div>'
            '<p>Comment: <input type="text" name="comment" required></p>',
        )