From 85fd44420b007be726b502e3be58f56b0e44cc08 Mon Sep 17 00:00:00 2001 From: Gyorgy Sarvari Date: Thu, 15 Jan 2026 13:36:01 +0100 Subject: [PATCH] Fix patch for CVE-2023-36053 The patch was accidentally backported incorrectly. The patch in general introduces a field-length restrictrion on the email input fields, however the patch was backported in a way that the restriction was applied on file input fields instead of email fields. This change amends the patch in a way to restrict the email field. CVE: CVE-2023-36053 Upstream-Status: Inappropriate [Backport specific] Signed-off-by: Gyorgy Sarvari --- django/forms/fields.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/django/forms/fields.py b/django/forms/fields.py index b3156b9..bbb135f 100644 --- a/django/forms/fields.py +++ b/django/forms/fields.py @@ -523,6 +523,9 @@ class EmailField(CharField): default_validators = [validators.validate_email] def __init__(self, **kwargs): + # The default maximum length of an email is 320 characters per RFC 3696 + # section 3. + kwargs.setdefault("max_length", 320) super().__init__(strip=True, **kwargs) @@ -542,9 +545,6 @@ class FileField(Field): def __init__(self, *, max_length=None, allow_empty_file=False, **kwargs): self.max_length = max_length self.allow_empty_file = allow_empty_file - # The default maximum length of an email is 320 characters per RFC 3696 - # section 3. - kwargs.setdefault("max_length", 320) super().__init__(**kwargs) def to_python(self, data):