From: Chris Lamb Date: Mon, 6 Jan 2020 17:50:09 +0000 Subject: CVE-2019-19844 --- django/contrib/auth/forms.py | 20 +++++++++++++++++++- tests/auth_tests/test_forms.py | 42 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 61 insertions(+), 1 deletion(-) diff --git a/django/contrib/auth/forms.py b/django/contrib/auth/forms.py index 18ea52c..d463ec9 100644 --- a/django/contrib/auth/forms.py +++ b/django/contrib/auth/forms.py @@ -19,9 +19,23 @@ from django.utils.encoding import force_bytes from django.utils.html import format_html, format_html_join from django.utils.http import urlsafe_base64_encode from django.utils.safestring import mark_safe +from django.utils.six import PY3 from django.utils.text import capfirst from django.utils.translation import ugettext, ugettext_lazy as _ +def _unicode_ci_compare(s1, s2): + """ + Perform case-insensitive comparison of two identifiers, using the + recommended algorithm from Unicode Technical Report 36, section + 2.11.2(B)(2). + """ + normalized1 = unicodedata.normalize('NFKC', s1) + normalized2 = unicodedata.normalize('NFKC', s2) + if PY3: + return normalized1.casefold() == normalized2.casefold() + # lower() is the best alternative available on Python 2. + return normalized1.lower() == normalized2.lower() + class ReadOnlyPasswordHashWidget(forms.Widget): def render(self, name, value, attrs): @@ -255,7 +269,11 @@ class PasswordResetForm(forms.Form): """ active_users = get_user_model()._default_manager.filter( email__iexact=email, is_active=True) - return (u for u in active_users if u.has_usable_password()) + return ( + u for u in active_users + if u.has_usable_password() and + _unicode_ci_compare(email, u.email) + ) def save(self, domain_override=None, subject_template_name='registration/password_reset_subject.txt', diff --git a/tests/auth_tests/test_forms.py b/tests/auth_tests/test_forms.py index 64c095b..9664d83 100644 --- a/tests/auth_tests/test_forms.py +++ b/tests/auth_tests/test_forms.py @@ -626,6 +626,48 @@ class PasswordResetFormTest(TestDataMixin, TestCase): self.assertFalse(form.is_valid()) self.assertEqual(form['email'].errors, [_('Enter a valid email address.')]) + def test_user_email_unicode_collision(self): + User.objects.create_user('mike123', 'mike@example.org', 'test123') + User.objects.create_user('mike456', 'mıke@example.org', 'test123') + data = {'email': 'mıke@example.org'} + form = PasswordResetForm(data) + if six.PY2: + self.assertFalse(form.is_valid()) + else: + self.assertTrue(form.is_valid()) + form.save() + self.assertEqual(len(mail.outbox), 1) + self.assertEqual(mail.outbox[0].to, ['mıke@example.org']) + + def test_user_email_domain_unicode_collision(self): + User.objects.create_user('mike123', 'mike@ixample.org', 'test123') + User.objects.create_user('mike456', 'mike@ıxample.org', 'test123') + data = {'email': 'mike@ıxample.org'} + form = PasswordResetForm(data) + self.assertTrue(form.is_valid()) + form.save() + self.assertEqual(len(mail.outbox), 1) + self.assertEqual(mail.outbox[0].to, ['mike@ıxample.org']) + + def test_user_email_unicode_collision_nonexistent(self): + User.objects.create_user('mike123', 'mike@example.org', 'test123') + data = {'email': 'mıke@example.org'} + form = PasswordResetForm(data) + if six.PY2: + self.assertFalse(form.is_valid()) + else: + self.assertTrue(form.is_valid()) + form.save() + self.assertEqual(len(mail.outbox), 0) + + def test_user_email_domain_unicode_collision_nonexistent(self): + User.objects.create_user('mike123', 'mike@ixample.org', 'test123') + data = {'email': 'mike@ıxample.org'} + form = PasswordResetForm(data) + self.assertTrue(form.is_valid()) + form.save() + self.assertEqual(len(mail.outbox), 0) + def test_nonexistent_email(self): """ Test nonexistent email address. This should not fail because it would