[Django] #34654: Post-normalization performed on the Username field leading to the bypass of the whitespace stripping

Wed, 14 Jun 2023 04:58:32 -0700 

#34654: Post-normalization performed on the Username field leading to the 
bypass of
the whitespace stripping
----------------------------------------+------------------------
               Reporter:  Sim4n6        |          Owner:  nobody
                   Type:  Bug           |         Status:  new
              Component:  contrib.auth  |        Version:  4.1
               Severity:  Normal        |       Keywords:
           Triage Stage:  Unreviewed    |      Has patch:  0
    Needs documentation:  0             |    Needs tests:  0
Patch needs improvement:  0             |  Easy pickings:  1
                  UI/UX:  0             |
----------------------------------------+------------------------
 **Summary**

 In the Django codebase
 
[L74](https://github.com/django/django/blob/a52bdea5a27ba44b13eda93642231c65c581e083/django/contrib/auth/forms.py#L74),
 when "strip" is enabled
 
[L265](https://github.com/django/django/blob/a52bdea5a27ba44b13eda93642231c65c581e083/django/forms/fields.py#L265),
 the username should not contain any trailing or leading whitespace.
 However, after stripping those whitespace
 
[L278..L279](https://github.com/django/django/blob/a52bdea5a27ba44b13eda93642231c65c581e083/django/forms/fields.py#L278..L279),
 normalization is performed. That means stripping whitespaces could be
 bypassed in the username using similar Unicode characters as "\u2800"

 Take the following case:

     result = unicodedata.normalize("NFKC",
 "\u2800\u2800sim4n6\u2800\u2800".strip())

 In case, the stripped string "sim4n6" contains a leading and trailing
 whitespace, that would be deleted and work perfectly.
 In case, the stripped string "\u2800\u2800sim4n6\u2800\u2800" contains
 similar Unicode characters to the whitespace which could be copied for
 instance from https://emptycharacter.com.

 **Impact**

 There is a security concern regarding including spaces in the username,
 plus that, the username is attacker-controlled input.
 This means the whitespace stripping on the username could be bypassed and
 a remote user could use unintended white space.


 @Sim4n6

-- 
Ticket URL: <https://code.djangoproject.com/ticket/34654>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/01070188b9c57633-c65d712b-d6f8-4808-b64b-fc88c0f75516-000000%40eu-central-1.amazonses.com.

Reply via email to