Overview

File CVE-2023-36053.patch of Package python-Django.32952

Index: Django-2.0.7/django/core/validators.py
===================================================================
--- Django-2.0.7.orig/django/core/validators.py
+++ Django-2.0.7/django/core/validators.py
@@ -101,6 +101,7 @@ class URLValidator(RegexValidator):
         r'\Z', re.IGNORECASE)
     message = _('Enter a valid URL.')
     schemes = ['http', 'https', 'ftp', 'ftps']
+    max_length = 2048
 
     def __init__(self, schemes=None, **kwargs):
         super().__init__(**kwargs)
@@ -108,6 +109,10 @@ class URLValidator(RegexValidator):
             self.schemes = schemes
 
     def __call__(self, value):
+        if not isinstance(value, str) or len(value) > self.max_length:
+            raise ValidationError(self.message, code=self.code)
+        if isinstance(value, str) and self.unsafe_chars.intersection(value):
+            raise ValidationError(self.message, code=self.code)
         # Check first if the scheme is valid
         scheme = value.split('://')[0].lower()
         if scheme not in self.schemes:
@@ -187,7 +192,9 @@ class EmailValidator:
             self.domain_whitelist = whitelist
 
     def __call__(self, value):
-        if not value or '@' not in value:
+        # The maximum length of an email is 320 characters per RFC 3696
+        # section 3.
+        if not value or '@' not in value or len(value) > 320:
             raise ValidationError(self.message, code=self.code)
 
         user_part, domain_part = value.rsplit('@', 1)
Index: Django-2.0.7/django/forms/fields.py
===================================================================
--- Django-2.0.7.orig/django/forms/fields.py
+++ Django-2.0.7/django/forms/fields.py
@@ -516,6 +516,9 @@ class EmailField(CharField):
     default_validators = [validators.validate_email]
 
     def __init__(self, **kwargs):
+        # The default maximum length of an email is 320 characters per RFC 3696
+        # section 3.
+        kwargs.setdefault("max_length", 320)
         super().__init__(strip=True, **kwargs)
 
 
Index: Django-2.0.7/tests/forms_tests/field_tests/test_emailfield.py
===================================================================
--- Django-2.0.7.orig/tests/forms_tests/field_tests/test_emailfield.py
+++ Django-2.0.7/tests/forms_tests/field_tests/test_emailfield.py
@@ -8,7 +8,10 @@ class EmailFieldTest(FormFieldAssertions
 
     def test_emailfield_1(self):
         f = EmailField()
-        self.assertWidgetRendersTo(f, '<input type="email" name="f" id="id_f" required />')
+        self.assertEqual(f.max_length, 320)
+        self.assertWidgetRendersTo(
+            f, '<input type="email" name="f" id="id_f" maxlength="320" required />'
+        )
         with self.assertRaisesMessage(ValidationError, "'This field is required.'"):
             f.clean('')
         with self.assertRaisesMessage(ValidationError, "'This field is required.'"):
Index: Django-2.0.7/tests/forms_tests/tests/test_forms.py
===================================================================
--- Django-2.0.7.orig/tests/forms_tests/tests/test_forms.py
+++ Django-2.0.7/tests/forms_tests/tests/test_forms.py
@@ -422,11 +422,18 @@ class FormsTestCase(SimpleTestCase):
             get_spam = BooleanField()
 
         f = SignupForm(auto_id=False)
-        self.assertHTMLEqual(str(f['email']), '<input type="email" name="email" required />')
+        self.assertHTMLEqual(
+            str(f["email"]),
+            '<input type="email" name="email" maxlength="320" required />',
+        )
         self.assertHTMLEqual(str(f['get_spam']), '<input type="checkbox" name="get_spam" required />')
 
         f = SignupForm({'email': 'test@example.com', 'get_spam': True}, auto_id=False)
-        self.assertHTMLEqual(str(f['email']), '<input type="email" name="email" value="test@example.com" required />')
+        self.assertHTMLEqual(
+            str(f["email"]),
+            '<input type="email" name="email" maxlength="320" value="test@example.com" '
+            "required />",
+        )
         self.assertHTMLEqual(
             str(f['get_spam']),
             '<input checked type="checkbox" name="get_spam" required />',
@@ -2754,7 +2761,7 @@ Good luck picking a username that doesn&
 <option value="2">Yes</option>
 <option value="3">No</option>
 </select></li>
-<li><label for="id_email">Email:</label> <input type="email" name="email" id="id_email" /></li>
+<li><label for="id_email">Email:</label> <input type="email" name="email" id="id_email" maxlength="320" /></li>
 <li class="required error"><ul class="errorlist"><li>This field is required.</li></ul>
 <label class="required" for="id_age">Age:</label> <input type="number" name="age" id="id_age" required /></li>"""
         )
@@ -2770,7 +2777,7 @@ Good luck picking a username that doesn&
 <option value="2">Yes</option>
 <option value="3">No</option>
 </select></p>
-<p><label for="id_email">Email:</label> <input type="email" name="email" id="id_email" /></p>
+<p><label for="id_email">Email:</label> <input type="email" name="email" id="id_email" maxlength="320" /></p>
 <ul class="errorlist"><li>This field is required.</li></ul>
 <p class="required error"><label class="required" for="id_age">Age:</label>
 <input type="number" name="age" id="id_age" required /></p>"""
@@ -2789,7 +2796,7 @@ Good luck picking a username that doesn&
 <option value="3">No</option>
 </select></td></tr>
 <tr><th><label for="id_email">Email:</label></th><td>
-<input type="email" name="email" id="id_email" /></td></tr>
+<input type="email" name="email" id="id_email" maxlength="320" /></td></tr>
 <tr class="required error"><th><label class="required" for="id_age">Age:</label></th>
 <td><ul class="errorlist"><li>This field is required.</li></ul>
 <input type="number" name="age" id="id_age" required /></td></tr>"""
@@ -3394,7 +3401,7 @@ Good luck picking a username that doesn&
         f = CommentForm(data, auto_id=False, error_class=DivErrorList)
         self.assertHTMLEqual(f.as_p(), """<p>Name: <input type="text" name="name" maxlength="50" /></p>
 <div class="errorlist"><div class="error">Enter a valid email address.</div></div>
-<p>Email: <input type="email" name="email" value="invalid" required /></p>
+<p>Email: <input type="email" name="email" value="invalid" maxlength="320" required /></p>
 <div class="errorlist"><div class="error">This field is required.</div></div>
 <p>Comment: <input type="text" name="comment" required /></p>""")
 
Index: Django-2.0.7/tests/validators/tests.py
===================================================================
--- Django-2.0.7.orig/tests/validators/tests.py
+++ Django-2.0.7/tests/validators/tests.py
@@ -58,6 +58,7 @@ TEST_DATA = [
 
     (validate_email, 'example@atm.%s' % ('a' * 64), ValidationError),
     (validate_email, 'example@%s.atm.%s' % ('b' * 64, 'a' * 63), ValidationError),
+    (validate_email, "example@%scom" % (("a" * 63 + ".") * 100), ValidationError),
     (validate_email, None, ValidationError),
     (validate_email, '', ValidationError),
     (validate_email, 'abc', ValidationError),
@@ -218,6 +219,11 @@ TEST_DATA = [
     (URLValidator(EXTENDED_SCHEMES), 'git+ssh://git@github.com/example/hg-git.git', None),
 
     (URLValidator(EXTENDED_SCHEMES), 'git://-invalid.com', ValidationError),
+    (
+        URLValidator(),
+        "http://example." + ("a" * 63 + ".") * 1000 + "com",
+        ValidationError,
+    ),
     # Trailing newlines not accepted
     (URLValidator(), 'http://www.djangoproject.com/\n', ValidationError),
     (URLValidator(), 'http://[::ffff:192.9.5.5]\n', ValidationError),
openSUSE Build Service is sponsored by
Places