1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
|
From 85fd44420b007be726b502e3be58f56b0e44cc08 Mon Sep 17 00:00:00 2001
From: Gyorgy Sarvari <skandigraun@gmail.com>
Date: Thu, 15 Jan 2026 13:36:01 +0100
Subject: [PATCH] Fix patch for CVE-2023-36053
The patch was accidentally backported incorrectly. The patch in general
introduces a field-length restrictrion on the email input fields, however
the patch was backported in a way that the restriction was applied on
file input fields instead of email fields.
This change amends the patch in a way to restrict the email field.
CVE: CVE-2023-36053
Upstream-Status: Inappropriate [Backport specific]
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
django/forms/fields.py | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/django/forms/fields.py b/django/forms/fields.py
index b3156b9..bbb135f 100644
--- a/django/forms/fields.py
+++ b/django/forms/fields.py
@@ -523,6 +523,9 @@ class EmailField(CharField):
default_validators = [validators.validate_email]
def __init__(self, **kwargs):
+ # The default maximum length of an email is 320 characters per RFC 3696
+ # section 3.
+ kwargs.setdefault("max_length", 320)
super().__init__(strip=True, **kwargs)
@@ -542,9 +545,6 @@ class FileField(Field):
def __init__(self, *, max_length=None, allow_empty_file=False, **kwargs):
self.max_length = max_length
self.allow_empty_file = allow_empty_file
- # The default maximum length of an email is 320 characters per RFC 3696
- # section 3.
- kwargs.setdefault("max_length", 320)
super().__init__(**kwargs)
def to_python(self, data):
|
