Closed ERosendo closed 4 days ago
@mlissner I've been trying to reproduce this vulnerability concerning excessive character input during registration. Based on my findings, this doesn't appear to be a security risk due to the following factors:
Client-Side Validation: The HTML form on the /register
page uses the maxlength
attribute, effectively limiting user input to a maximum of 150 characters. This prevent users from entering excessively long strings in the first place.
<input type="text" name="username" maxlength="150" autofocus="" required="" aria-describedby="id_username_helptext" id="id_username">
<input type="text" name="first_name" maxlength="150" id="id_first_name">
<input type="text" name="last_name" maxlength="150" id="id_last_name">
Server-Side Validation: Even if a user attempts to bypass client-side validation by manipulating the HTML code, the server-side validation remains in place. Django's default user model enforces a maximum username length of 150 characters. This ensures that overly long usernames cannot be created successfully, regardless of client-side attempts.
Here are screenshots showing that the server returns an error for usernames exceeding the allowed length
Confirmed by reporter that this was a false positive. Great.
It seems like the signup functionality on the website allows users to set
names
&username
of excessively long length, potentially ranging into hundreds of thousands of digits. This can lead to several security and performance issues, including memory corruption and resource exhaustion(especially if the system is not equipped to handle such large inputs efficiently).Here's a reference to a similar issue to understand the potential risks: https://hackerone.com/reports/819088