python3-django: fix CVE-2024-56374

Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-56374 Upstream-patch: https://github.com/django/django/commit/ad866a1ca3e7d60da888d25d27e46a8adb2ed36e Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
author: Saravanan <saravanan.kadambathursubramaniyam@windriver.com> 2025-11-30 17:11:29 +0530
committer: Gyorgy Sarvari <skandigraun@gmail.com> 2025-11-30 15:16:31 +0100
commit: 0b554678b68189e14293a8a6a07bb6998ce345c4 (patch)
tree: c1f08279ef62012579042972e52b711c31ff9c32 /meta-python/recipes-devtools/python/python3-django/CVE-2024-56374.patch
parent: 540b79e3eeec268bfbc49ad1fe227cc385005bf4 (diff)
download: meta-openembedded-0b554678b68189e14293a8a6a07bb6998ce345c4.tar.gz
1 files changed, 315 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2024-56374.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2024-56374.patch
new file mode 100644
index 0000000000..3b86eacc41
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-django/CVE-2024-56374.patch
@@ -0,0 +1,315 @@
+From ad866a1ca3e7d60da888d25d27e46a8adb2ed36e Mon Sep 17 00:00:00 2001
+From: Natalia <124304+nessita@users.noreply.github.com>
+Date: Mon, 6 Jan 2025 15:51:45 -0300
+Subject: [PATCH] Fixed CVE-2024-56374 -- Mitigated potential DoS in IPv6
+ validation.
+Thanks Saravana Kumar for the report, and Sarah Boyce and Mariusz
+Felisiak for the reviews.
+CVE: CVE-2024-56374
+Upstream-Status: Backport
+https://github.com/django/django/commit/ad866a1ca3e7d60da888d25d27e46a8adb2ed36e
+Signed-off-by: Natalia <124304+nessita@users.noreply.github.com>
+Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
+Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com>
+%% original patch: CVE-2024-56374.patch
+---
+ django/db/models/fields/__init__.py           |  6 +--
+ django/forms/fields.py                        |  7 +++-
+ django/utils/ipv6.py                          | 22 ++++++++--
+ docs/ref/forms/fields.txt                     | 13 +++++-
+ docs/releases/2.2.28.txt                      | 12 ++++++
+ .../field_tests/test_genericipaddressfield.py | 35 +++++++++++++++-
+ tests/utils_tests/test_ipv6.py                | 40 +++++++++++++++++--
+ 7 files changed, 120 insertions(+), 15 deletions(-)
+diff --git a/django/db/models/fields/__init__.py b/django/db/models/fields/__init__.py
+index e2d1846..c77702f 100644
+--- a/django/db/models/fields/__init__.py
+++ b/django/db/models/fields/__init__.py
+@@ -26,7 +26,7 @@ from django.utils.dateparse import (
+ )
+ from django.utils.duration import duration_microseconds, duration_string
+ from django.utils.functional import Promise, cached_property
+-from django.utils.ipv6 import clean_ipv6_address
+from django.utils.ipv6 import MAX_IPV6_ADDRESS_LENGTH, clean_ipv6_address
+ from django.utils.itercompat import is_iterable
+ from django.utils.text import capfirst
+ from django.utils.translation import gettext_lazy as _
+@@ -1904,7 +1904,7 @@ class GenericIPAddressField(Field):
+         self.default_validators, invalid_error_message = \
+             validators.ip_address_validators(protocol, unpack_ipv4)
+         self.default_error_messages['invalid'] = invalid_error_message
+-        kwargs['max_length'] = 39
+        kwargs["max_length"] = MAX_IPV6_ADDRESS_LENGTH
+         super().__init__(verbose_name, name, *args, **kwargs)
+ 
+     def check(self, **kwargs):
+@@ -1931,7 +1931,7 @@ class GenericIPAddressField(Field):
+             kwargs['unpack_ipv4'] = self.unpack_ipv4
+         if self.protocol != "both":
+             kwargs['protocol'] = self.protocol
+-        if kwargs.get("max_length") == 39:
+        if kwargs.get("max_length") == self.max_length:
+             del kwargs['max_length']
+         return name, path, args, kwargs
+ 
+diff --git a/django/forms/fields.py b/django/forms/fields.py
+index f939338..b3156b9 100644
+--- a/django/forms/fields.py
+++ b/django/forms/fields.py
+@@ -29,7 +29,7 @@ from django.forms.widgets import (
+ from django.utils import formats
+ from django.utils.dateparse import parse_duration
+ from django.utils.duration import duration_string
+-from django.utils.ipv6 import clean_ipv6_address
+from django.utils.ipv6 import MAX_IPV6_ADDRESS_LENGTH, clean_ipv6_address
+ from django.utils.translation import gettext_lazy as _, ngettext_lazy
+ 
+ __all__ = (
+@@ -1162,6 +1162,7 @@ class GenericIPAddressField(CharField):
+     def __init__(self, *, protocol='both', unpack_ipv4=False, **kwargs):
+         self.unpack_ipv4 = unpack_ipv4
+         self.default_validators = validators.ip_address_validators(protocol, unpack_ipv4)[0]
+        kwargs.setdefault("max_length", MAX_IPV6_ADDRESS_LENGTH)
+         super().__init__(**kwargs)
+ 
+     def to_python(self, value):
+@@ -1169,7 +1170,9 @@ class GenericIPAddressField(CharField):
+             return ''
+         value = value.strip()
+         if value and ':' in value:
+-            return clean_ipv6_address(value, self.unpack_ipv4)
+            return clean_ipv6_address(
+                value, self.unpack_ipv4, max_length=self.max_length
+            )
+         return value
+ 
+ 
+diff --git a/django/utils/ipv6.py b/django/utils/ipv6.py
+index ddb8c80..aed7902 100644
+--- a/django/utils/ipv6.py
+++ b/django/utils/ipv6.py
+@@ -3,9 +3,23 @@ import ipaddress
+ from django.core.exceptions import ValidationError
+ from django.utils.translation import gettext_lazy as _
+ 
+MAX_IPV6_ADDRESS_LENGTH = 39
+ 
+-def clean_ipv6_address(ip_str, unpack_ipv4=False,
+-                       error_message=_("This is not a valid IPv6 address.")):
+
+def _ipv6_address_from_str(ip_str, max_length=MAX_IPV6_ADDRESS_LENGTH):
+    if len(ip_str) > max_length:
+        raise ValueError(
+            f"Unable to convert {ip_str} to an IPv6 address (value too long)."
+        )
+    return ipaddress.IPv6Address(int(ipaddress.IPv6Address(ip_str)))
+
+
+def clean_ipv6_address(
+    ip_str,
+    unpack_ipv4=False,
+    error_message=_("This is not a valid IPv6 address."),
+    max_length=MAX_IPV6_ADDRESS_LENGTH,
+       ):
+     """
+     Clean an IPv6 address string.
+ 
+@@ -23,7 +37,7 @@ def clean_ipv6_address(ip_str, unpack_ipv4=False,
+     Return a compressed IPv6 address or the same value.
+     """
+     try:
+-        addr = ipaddress.IPv6Address(int(ipaddress.IPv6Address(ip_str)))
+        addr = _ipv6_address_from_str(ip_str, max_length)
+     except ValueError:
+         raise ValidationError(error_message, code='invalid')
+ 
+@@ -40,7 +54,7 @@ def is_valid_ipv6_address(ip_str):
+     Return whether or not the `ip_str` string is a valid IPv6 address.
+     """
+     try:
+-        ipaddress.IPv6Address(ip_str)
+        _ipv6_address_from_str(ip_str)
+     except ValueError:
+         return False
+     return True
+diff --git a/docs/ref/forms/fields.txt b/docs/ref/forms/fields.txt
+index 3a888ef..688890a 100644
+--- a/docs/ref/forms/fields.txt
+++ b/docs/ref/forms/fields.txt
+@@ -791,7 +791,7 @@ For each field, we describe the default widget used if you don't specify
+     * Empty value: ``''`` (an empty string)
+     * Normalizes to: A string. IPv6 addresses are normalized as described below.
+     * Validates that the given value is a valid IP address.
+-    * Error message keys: ``required``, ``invalid``
+    * Error message keys: ``required``, ``invalid``, ``max_length``
+ 
+     The IPv6 address normalization follows :rfc:`4291#section-2.2` section 2.2,
+     including using the IPv4 format suggested in paragraph 3 of that section, like
+@@ -799,7 +799,7 @@ For each field, we describe the default widget used if you don't specify
+     ``2001::1``, and ``::ffff:0a0a:0a0a`` to ``::ffff:10.10.10.10``. All characters
+     are converted to lowercase.
+ 
+-    Takes two optional arguments:
+    Takes three optional arguments:
+ 
+     .. attribute:: protocol
+ 
+@@ -814,6 +814,15 @@ For each field, we describe the default widget used if you don't specify
+         ``192.0.2.1``. Default is disabled. Can only be used
+         when ``protocol`` is set to ``'both'``.
+ 
+    .. attribute:: max_length
+
+        Defaults to 39, and behaves the same way as it does for
+        :class:`CharField`.
+
+    .. versionchanged:: 4.2.18
+
+        The default value for ``max_length`` was set to 39 characters.
+
+ ``MultipleChoiceField``
+ -----------------------
+ 
+diff --git a/docs/releases/2.2.28.txt b/docs/releases/2.2.28.txt
+index 7096d13..0e092f0 100644
+--- a/docs/releases/2.2.28.txt
+++ b/docs/releases/2.2.28.txt
+@@ -105,3 +105,15 @@ CVE-2025-26699: Potential denial-of-service vulnerability in ``django.utils.text
+ The ``wrap()`` and :tfilter:`wordwrap` template filter were subject to a
+ potential denial-of-service attack when used with very long strings.
+ 
+CVE-2024-56374: Potential denial-of-service vulnerability in IPv6 validation
+============================================================================
+
+Lack of upper bound limit enforcement in strings passed when performing IPv6
+validation could lead to a potential denial-of-service attack. The undocumented
+and private functions ``clean_ipv6_address`` and ``is_valid_ipv6_address`` were
+vulnerable, as was the  :class:`django.forms.GenericIPAddressField` form field,
+which has now been updated to define a ``max_length`` of 39 characters.
+
+The :class:`django.db.models.GenericIPAddressField` model field was not
+affected.
+
+diff --git a/tests/forms_tests/field_tests/test_genericipaddressfield.py b/tests/forms_tests/field_tests/test_genericipaddressfield.py
+index 97a83e3..4c79d78 100644
+--- a/tests/forms_tests/field_tests/test_genericipaddressfield.py
+++ b/tests/forms_tests/field_tests/test_genericipaddressfield.py
+@@ -1,5 +1,6 @@
+ from django.forms import GenericIPAddressField, ValidationError
+ from django.test import SimpleTestCase
+from django.utils.ipv6 import MAX_IPV6_ADDRESS_LENGTH
+ 
+ 
+ class GenericIPAddressFieldTest(SimpleTestCase):
+@@ -89,6 +90,35 @@ class GenericIPAddressFieldTest(SimpleTestCase):
+         with self.assertRaisesMessage(ValidationError, "'This is not a valid IPv6 address.'"):
+             f.clean('1:2')
+ 
+    def test_generic_ipaddress_max_length_custom(self):
+        # Valid IPv4-mapped IPv6 address, len 45.
+        addr = "0000:0000:0000:0000:0000:ffff:192.168.100.228"
+        f = GenericIPAddressField(max_length=len(addr))
+        f.clean(addr)
+
+    def test_generic_ipaddress_max_length_validation_error(self):
+        # Valid IPv4-mapped IPv6 address, len 45.
+        addr = "0000:0000:0000:0000:0000:ffff:192.168.100.228"
+
+        cases = [
+            ({}, MAX_IPV6_ADDRESS_LENGTH),  # Default value.
+            ({"max_length": len(addr) - 1}, len(addr) - 1),
+        ]
+        for kwargs, max_length in cases:
+            max_length_plus_one = max_length + 1
+            msg = (
+                f"Ensure this value has at most {max_length} characters (it has "
+                f"{max_length_plus_one}).'"
+            )
+            with self.subTest(max_length=max_length):
+                f = GenericIPAddressField(**kwargs)
+                with self.assertRaisesMessage(ValidationError, msg):
+                    f.clean("x" * max_length_plus_one)
+                with self.assertRaisesMessage(
+                    ValidationError, "This is not a valid IPv6 address."
+                ):
+                    f.clean(addr)
+
+     def test_generic_ipaddress_as_generic_not_required(self):
+         f = GenericIPAddressField(required=False)
+         self.assertEqual(f.clean(''), '')
+@@ -103,7 +133,10 @@ class GenericIPAddressFieldTest(SimpleTestCase):
+         with self.assertRaisesMessage(ValidationError, "'Enter a valid IPv4 or IPv6 address.'"):
+             f.clean('256.125.1.5')
+         self.assertEqual(f.clean(' fe80::223:6cff:fe8a:2e8a '), 'fe80::223:6cff:fe8a:2e8a')
+-        self.assertEqual(f.clean(' 2a02::223:6cff:fe8a:2e8a '), '2a02::223:6cff:fe8a:2e8a')
+        self.assertEqual(
+            f.clean(" " * MAX_IPV6_ADDRESS_LENGTH + " 2a02::223:6cff:fe8a:2e8a "),
+            "2a02::223:6cff:fe8a:2e8a",
+            )
+         with self.assertRaisesMessage(ValidationError, "'This is not a valid IPv6 address.'"):
+             f.clean('12345:2:3:4')
+         with self.assertRaisesMessage(ValidationError, "'This is not a valid IPv6 address.'"):
+diff --git a/tests/utils_tests/test_ipv6.py b/tests/utils_tests/test_ipv6.py
+index 4e434f3..1ac6763 100644
+--- a/tests/utils_tests/test_ipv6.py
+++ b/tests/utils_tests/test_ipv6.py
+@@ -1,9 +1,17 @@
+-import unittest
+import traceback
+from io import StringIO
+ 
+-from django.utils.ipv6 import clean_ipv6_address, is_valid_ipv6_address
+from django.core.exceptions import ValidationError
+from django.test import SimpleTestCase
+from django.utils.ipv6 import (
+    MAX_IPV6_ADDRESS_LENGTH,
+    clean_ipv6_address,
+    is_valid_ipv6_address,
+)
+from django.utils.version import PY310
+ 
+ 
+-class TestUtilsIPv6(unittest.TestCase):
+class TestUtilsIPv6(SimpleTestCase):
+ 
+     def test_validates_correct_plain_address(self):
+         self.assertTrue(is_valid_ipv6_address('fe80::223:6cff:fe8a:2e8a'))
+@@ -55,3 +63,29 @@ class TestUtilsIPv6(unittest.TestCase):
+         self.assertEqual(clean_ipv6_address('::ffff:0a0a:0a0a', unpack_ipv4=True), '10.10.10.10')
+         self.assertEqual(clean_ipv6_address('::ffff:1234:1234', unpack_ipv4=True), '18.52.18.52')
+         self.assertEqual(clean_ipv6_address('::ffff:18.52.18.52', unpack_ipv4=True), '18.52.18.52')
+
+    def test_address_too_long(self):
+        addresses = [
+            "0000:0000:0000:0000:0000:ffff:192.168.100.228",  # IPv4-mapped IPv6 address
+            "0000:0000:0000:0000:0000:ffff:192.168.100.228%123456",  # % scope/zone
+            "fe80::223:6cff:fe8a:2e8a:1234:5678:00000",  # MAX_IPV6_ADDRESS_LENGTH + 1
+        ]
+        msg = "This is the error message."
+        value_error_msg = "Unable to convert %s to an IPv6 address (value too long)."
+        for addr in addresses:
+            with self.subTest(addr=addr):
+                self.assertGreater(len(addr), MAX_IPV6_ADDRESS_LENGTH)
+                self.assertEqual(is_valid_ipv6_address(addr), False)
+                with self.assertRaisesMessage(ValidationError, msg) as ctx:
+                    clean_ipv6_address(addr, error_message=msg)
+                exception_traceback = StringIO()
+                if PY310:
+                    traceback.print_exception(ctx.exception, file=exception_traceback)
+                else:
+                    traceback.print_exception(
+                        type(ctx.exception),
+                        value=ctx.exception,
+                        tb=ctx.exception.__traceback__,
+                        file=exception_traceback,
+                    )
+                self.assertIn(value_error_msg % addr, exception_traceback.getvalue())
+-- 
+2.40.0
author	Saravanan <saravanan.kadambathursubramaniyam@windriver.com>	2025-11-30 17:11:29 +0530
committer	Gyorgy Sarvari <skandigraun@gmail.com>	2025-11-30 15:16:31 +0100
commit	0b554678b68189e14293a8a6a07bb6998ce345c4 (patch)
tree	c1f08279ef62012579042972e52b711c31ff9c32 /meta-python/recipes-devtools/python/python3-django/CVE-2024-56374.patch
parent	540b79e3eeec268bfbc49ad1fe227cc385005bf4 (diff)
download	meta-openembedded-0b554678b68189e14293a8a6a07bb6998ce345c4.tar.gz

diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2024-56374.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2024-56374.patch new file mode 100644 index 0000000000..3b86eacc41 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django/CVE-2024-56374.patch
@@ -0,0 +1,315 @@
	1	From ad866a1ca3e7d60da888d25d27e46a8adb2ed36e Mon Sep 17 00:00:00 2001
	2	From: Natalia <124304+nessita@users.noreply.github.com>
	3	Date: Mon, 6 Jan 2025 15:51:45 -0300
	4	Subject: [PATCH] Fixed CVE-2024-56374 -- Mitigated potential DoS in IPv6
	5	validation.
	6
	7	Thanks Saravana Kumar for the report, and Sarah Boyce and Mariusz
	8	Felisiak for the reviews.
	9
	10	CVE: CVE-2024-56374
	11
	12	Upstream-Status: Backport
	13	https://github.com/django/django/commit/ad866a1ca3e7d60da888d25d27e46a8adb2ed36e
	14
	15	Signed-off-by: Natalia <124304+nessita@users.noreply.github.com>
	16	Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
	17	Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com>
	18
	19	%% original patch: CVE-2024-56374.patch
	20	---
	21	django/db/models/fields/__init__.py \| 6 +--
	22	django/forms/fields.py \| 7 +++-
	23	django/utils/ipv6.py \| 22 ++++++++--
	24	docs/ref/forms/fields.txt \| 13 +++++-
	25	docs/releases/2.2.28.txt \| 12 ++++++
	26	.../field_tests/test_genericipaddressfield.py \| 35 +++++++++++++++-
	27	tests/utils_tests/test_ipv6.py \| 40 +++++++++++++++++--
	28	7 files changed, 120 insertions(+), 15 deletions(-)
	29
	30	diff --git a/django/db/models/fields/__init__.py b/django/db/models/fields/__init__.py
	31	index e2d1846..c77702f 100644
	32	--- a/django/db/models/fields/__init__.py
	33	+++ b/django/db/models/fields/__init__.py
	34	@@ -26,7 +26,7 @@ from django.utils.dateparse import (
	35	)
	36	from django.utils.duration import duration_microseconds, duration_string
	37	from django.utils.functional import Promise, cached_property
	38	-from django.utils.ipv6 import clean_ipv6_address
	39	+from django.utils.ipv6 import MAX_IPV6_ADDRESS_LENGTH, clean_ipv6_address
	40	from django.utils.itercompat import is_iterable
	41	from django.utils.text import capfirst
	42	from django.utils.translation import gettext_lazy as _
	43	@@ -1904,7 +1904,7 @@ class GenericIPAddressField(Field):
	44	self.default_validators, invalid_error_message = \
	45	validators.ip_address_validators(protocol, unpack_ipv4)
	46	self.default_error_messages['invalid'] = invalid_error_message
	47	- kwargs['max_length'] = 39
	48	+ kwargs["max_length"] = MAX_IPV6_ADDRESS_LENGTH
	49	super().__init__(verbose_name, name, args, *kwargs)
	50
	51	def check(self, **kwargs):
	52	@@ -1931,7 +1931,7 @@ class GenericIPAddressField(Field):
	53	kwargs['unpack_ipv4'] = self.unpack_ipv4
	54	if self.protocol != "both":
	55	kwargs['protocol'] = self.protocol
	56	- if kwargs.get("max_length") == 39:
	57	+ if kwargs.get("max_length") == self.max_length:
	58	del kwargs['max_length']
	59	return name, path, args, kwargs
	60
	61	diff --git a/django/forms/fields.py b/django/forms/fields.py
	62	index f939338..b3156b9 100644
	63	--- a/django/forms/fields.py
	64	+++ b/django/forms/fields.py
	65	@@ -29,7 +29,7 @@ from django.forms.widgets import (
	66	from django.utils import formats
	67	from django.utils.dateparse import parse_duration
	68	from django.utils.duration import duration_string
	69	-from django.utils.ipv6 import clean_ipv6_address
	70	+from django.utils.ipv6 import MAX_IPV6_ADDRESS_LENGTH, clean_ipv6_address
	71	from django.utils.translation import gettext_lazy as _, ngettext_lazy
	72
	73	__all__ = (
	74	@@ -1162,6 +1162,7 @@ class GenericIPAddressField(CharField):
	75	def __init__(self, , protocol='both', unpack_ipv4=False, *kwargs):
	76	self.unpack_ipv4 = unpack_ipv4
	77	self.default_validators = validators.ip_address_validators(protocol, unpack_ipv4)[0]
	78	+ kwargs.setdefault("max_length", MAX_IPV6_ADDRESS_LENGTH)
	79	super().__init__(**kwargs)
	80
	81	def to_python(self, value):
	82	@@ -1169,7 +1170,9 @@ class GenericIPAddressField(CharField):
	83	return ''
	84	value = value.strip()
	85	if value and ':' in value:
	86	- return clean_ipv6_address(value, self.unpack_ipv4)
	87	+ return clean_ipv6_address(
	88	+ value, self.unpack_ipv4, max_length=self.max_length
	89	+ )
	90	return value
	91
	92
	93	diff --git a/django/utils/ipv6.py b/django/utils/ipv6.py
	94	index ddb8c80..aed7902 100644
	95	--- a/django/utils/ipv6.py
	96	+++ b/django/utils/ipv6.py
	97	@@ -3,9 +3,23 @@ import ipaddress
	98	from django.core.exceptions import ValidationError
	99	from django.utils.translation import gettext_lazy as _
	100
	101	+MAX_IPV6_ADDRESS_LENGTH = 39
	102
	103	-def clean_ipv6_address(ip_str, unpack_ipv4=False,
	104	- error_message=_("This is not a valid IPv6 address.")):
	105	+
	106	+def _ipv6_address_from_str(ip_str, max_length=MAX_IPV6_ADDRESS_LENGTH):
	107	+ if len(ip_str) > max_length:
	108	+ raise ValueError(
	109	+ f"Unable to convert {ip_str} to an IPv6 address (value too long)."
	110	+ )
	111	+ return ipaddress.IPv6Address(int(ipaddress.IPv6Address(ip_str)))
	112	+
	113	+
	114	+def clean_ipv6_address(
	115	+ ip_str,
	116	+ unpack_ipv4=False,
	117	+ error_message=_("This is not a valid IPv6 address."),
	118	+ max_length=MAX_IPV6_ADDRESS_LENGTH,
	119	+ ):
	120	"""
	121	Clean an IPv6 address string.
	122
	123	@@ -23,7 +37,7 @@ def clean_ipv6_address(ip_str, unpack_ipv4=False,
	124	Return a compressed IPv6 address or the same value.
	125	"""
	126	try:
	127	- addr = ipaddress.IPv6Address(int(ipaddress.IPv6Address(ip_str)))
	128	+ addr = _ipv6_address_from_str(ip_str, max_length)
	129	except ValueError:
	130	raise ValidationError(error_message, code='invalid')
	131
	132	@@ -40,7 +54,7 @@ def is_valid_ipv6_address(ip_str):
	133	Return whether or not the `ip_str` string is a valid IPv6 address.
	134	"""
	135	try:
	136	- ipaddress.IPv6Address(ip_str)
	137	+ _ipv6_address_from_str(ip_str)
	138	except ValueError:
	139	return False
	140	return True
	141	diff --git a/docs/ref/forms/fields.txt b/docs/ref/forms/fields.txt
	142	index 3a888ef..688890a 100644
	143	--- a/docs/ref/forms/fields.txt
	144	+++ b/docs/ref/forms/fields.txt
	145	@@ -791,7 +791,7 @@ For each field, we describe the default widget used if you don't specify
	146	* Empty value: ``''`` (an empty string)
	147	* Normalizes to: A string. IPv6 addresses are normalized as described below.
	148	* Validates that the given value is a valid IP address.
	149	- * Error message keys: ``required``, ``invalid``
	150	+ * Error message keys: ``required``, ``invalid``, ``max_length``
	151
	152	The IPv6 address normalization follows :rfc:`4291#section-2.2` section 2.2,
	153	including using the IPv4 format suggested in paragraph 3 of that section, like
	154	@@ -799,7 +799,7 @@ For each field, we describe the default widget used if you don't specify
	155	``2001::1``, and ``::ffff:0a0a:0a0a`` to ``::ffff:10.10.10.10``. All characters
	156	are converted to lowercase.
	157
	158	- Takes two optional arguments:
	159	+ Takes three optional arguments:
	160
	161	.. attribute:: protocol
	162
	163	@@ -814,6 +814,15 @@ For each field, we describe the default widget used if you don't specify
	164	``192.0.2.1``. Default is disabled. Can only be used
	165	when ``protocol`` is set to ``'both'``.
	166
	167	+ .. attribute:: max_length
	168	+
	169	+ Defaults to 39, and behaves the same way as it does for
	170	+ :class:`CharField`.
	171	+
	172	+ .. versionchanged:: 4.2.18
	173	+
	174	+ The default value for ``max_length`` was set to 39 characters.
	175	+
	176	``MultipleChoiceField``
	177	-----------------------
	178
	179	diff --git a/docs/releases/2.2.28.txt b/docs/releases/2.2.28.txt
	180	index 7096d13..0e092f0 100644
	181	--- a/docs/releases/2.2.28.txt
	182	+++ b/docs/releases/2.2.28.txt
	183	@@ -105,3 +105,15 @@ CVE-2025-26699: Potential denial-of-service vulnerability in ``django.utils.text
	184	The ``wrap()`` and :tfilter:`wordwrap` template filter were subject to a
	185	potential denial-of-service attack when used with very long strings.
	186
	187	+CVE-2024-56374: Potential denial-of-service vulnerability in IPv6 validation
	188	+============================================================================
	189	+
	190	+Lack of upper bound limit enforcement in strings passed when performing IPv6
	191	+validation could lead to a potential denial-of-service attack. The undocumented
	192	+and private functions ``clean_ipv6_address`` and ``is_valid_ipv6_address`` were
	193	+vulnerable, as was the :class:`django.forms.GenericIPAddressField` form field,
	194	+which has now been updated to define a ``max_length`` of 39 characters.
	195	+
	196	+The :class:`django.db.models.GenericIPAddressField` model field was not
	197	+affected.
	198	+
	199	diff --git a/tests/forms_tests/field_tests/test_genericipaddressfield.py b/tests/forms_tests/field_tests/test_genericipaddressfield.py
	200	index 97a83e3..4c79d78 100644
	201	--- a/tests/forms_tests/field_tests/test_genericipaddressfield.py
	202	+++ b/tests/forms_tests/field_tests/test_genericipaddressfield.py
	203	@@ -1,5 +1,6 @@
	204	from django.forms import GenericIPAddressField, ValidationError
	205	from django.test import SimpleTestCase
	206	+from django.utils.ipv6 import MAX_IPV6_ADDRESS_LENGTH
	207
	208
	209	class GenericIPAddressFieldTest(SimpleTestCase):
	210	@@ -89,6 +90,35 @@ class GenericIPAddressFieldTest(SimpleTestCase):
	211	with self.assertRaisesMessage(ValidationError, "'This is not a valid IPv6 address.'"):
	212	f.clean('1:2')
	213
	214	+ def test_generic_ipaddress_max_length_custom(self):
	215	+ # Valid IPv4-mapped IPv6 address, len 45.
	216	+ addr = "0000:0000:0000:0000:0000:ffff:192.168.100.228"
	217	+ f = GenericIPAddressField(max_length=len(addr))
	218	+ f.clean(addr)
	219	+
	220	+ def test_generic_ipaddress_max_length_validation_error(self):
	221	+ # Valid IPv4-mapped IPv6 address, len 45.
	222	+ addr = "0000:0000:0000:0000:0000:ffff:192.168.100.228"
	223	+
	224	+ cases = [
	225	+ ({}, MAX_IPV6_ADDRESS_LENGTH), # Default value.
	226	+ ({"max_length": len(addr) - 1}, len(addr) - 1),
	227	+ ]
	228	+ for kwargs, max_length in cases:
	229	+ max_length_plus_one = max_length + 1
	230	+ msg = (
	231	+ f"Ensure this value has at most {max_length} characters (it has "
	232	+ f"{max_length_plus_one}).'"
	233	+ )
	234	+ with self.subTest(max_length=max_length):
	235	+ f = GenericIPAddressField(**kwargs)
	236	+ with self.assertRaisesMessage(ValidationError, msg):
	237	+ f.clean("x" * max_length_plus_one)
	238	+ with self.assertRaisesMessage(
	239	+ ValidationError, "This is not a valid IPv6 address."
	240	+ ):
	241	+ f.clean(addr)
	242	+
	243	def test_generic_ipaddress_as_generic_not_required(self):
	244	f = GenericIPAddressField(required=False)
	245	self.assertEqual(f.clean(''), '')
	246	@@ -103,7 +133,10 @@ class GenericIPAddressFieldTest(SimpleTestCase):
	247	with self.assertRaisesMessage(ValidationError, "'Enter a valid IPv4 or IPv6 address.'"):
	248	f.clean('256.125.1.5')
	249	self.assertEqual(f.clean(' fe80::223:6cff:fe8a:2e8a '), 'fe80::223:6cff:fe8a:2e8a')
	250	- self.assertEqual(f.clean(' 2a02::223:6cff:fe8a:2e8a '), '2a02::223:6cff:fe8a:2e8a')
	251	+ self.assertEqual(
	252	+ f.clean(" " * MAX_IPV6_ADDRESS_LENGTH + " 2a02::223:6cff:fe8a:2e8a "),
	253	+ "2a02::223:6cff:fe8a:2e8a",
	254	+ )
	255	with self.assertRaisesMessage(ValidationError, "'This is not a valid IPv6 address.'"):
	256	f.clean('12345:2:3:4')
	257	with self.assertRaisesMessage(ValidationError, "'This is not a valid IPv6 address.'"):
	258	diff --git a/tests/utils_tests/test_ipv6.py b/tests/utils_tests/test_ipv6.py
	259	index 4e434f3..1ac6763 100644
	260	--- a/tests/utils_tests/test_ipv6.py
	261	+++ b/tests/utils_tests/test_ipv6.py
	262	@@ -1,9 +1,17 @@
	263	-import unittest
	264	+import traceback
	265	+from io import StringIO
	266
	267	-from django.utils.ipv6 import clean_ipv6_address, is_valid_ipv6_address
	268	+from django.core.exceptions import ValidationError
	269	+from django.test import SimpleTestCase
	270	+from django.utils.ipv6 import (
	271	+ MAX_IPV6_ADDRESS_LENGTH,
	272	+ clean_ipv6_address,
	273	+ is_valid_ipv6_address,
	274	+)
	275	+from django.utils.version import PY310
	276
	277
	278	-class TestUtilsIPv6(unittest.TestCase):
	279	+class TestUtilsIPv6(SimpleTestCase):
	280
	281	def test_validates_correct_plain_address(self):
	282	self.assertTrue(is_valid_ipv6_address('fe80::223:6cff:fe8a:2e8a'))
	283	@@ -55,3 +63,29 @@ class TestUtilsIPv6(unittest.TestCase):
	284	self.assertEqual(clean_ipv6_address('::ffff:0a0a:0a0a', unpack_ipv4=True), '10.10.10.10')
	285	self.assertEqual(clean_ipv6_address('::ffff:1234:1234', unpack_ipv4=True), '18.52.18.52')
	286	self.assertEqual(clean_ipv6_address('::ffff:18.52.18.52', unpack_ipv4=True), '18.52.18.52')
	287	+
	288	+ def test_address_too_long(self):
	289	+ addresses = [
	290	+ "0000:0000:0000:0000:0000:ffff:192.168.100.228", # IPv4-mapped IPv6 address
	291	+ "0000:0000:0000:0000:0000:ffff:192.168.100.228%123456", # % scope/zone
	292	+ "fe80::223:6cff:fe8a:2e8a:1234:5678:00000", # MAX_IPV6_ADDRESS_LENGTH + 1
	293	+ ]
	294	+ msg = "This is the error message."
	295	+ value_error_msg = "Unable to convert %s to an IPv6 address (value too long)."
	296	+ for addr in addresses:
	297	+ with self.subTest(addr=addr):
	298	+ self.assertGreater(len(addr), MAX_IPV6_ADDRESS_LENGTH)
	299	+ self.assertEqual(is_valid_ipv6_address(addr), False)
	300	+ with self.assertRaisesMessage(ValidationError, msg) as ctx:
	301	+ clean_ipv6_address(addr, error_message=msg)
	302	+ exception_traceback = StringIO()
	303	+ if PY310:
	304	+ traceback.print_exception(ctx.exception, file=exception_traceback)
	305	+ else:
	306	+ traceback.print_exception(
	307	+ type(ctx.exception),
	308	+ value=ctx.exception,
	309	+ tb=ctx.exception.__traceback__,
	310	+ file=exception_traceback,
	311	+ )
	312	+ self.assertIn(value_error_msg % addr, exception_traceback.getvalue())
	313	--
	314	2.40.0
	315