Skip to content

Commit 572ea07

Browse files
adamchainzfelixxmnessitashaib
committed
[4.2.x] Fixed CVE-2024-24680 -- Mitigated potential DoS in intcomma template filter.
Thanks Seokchan Yoon for the report. Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com> Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Co-authored-by: Shai Berger <shai@platonix.com>
1 parent 9fe7411 commit 572ea07

File tree

4 files changed

+81
-8
lines changed

4 files changed

+81
-8
lines changed

django/contrib/humanize/templatetags/humanize.py

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -75,12 +75,13 @@ def intcomma(value, use_l10n=True):
7575
return intcomma(value, False)
7676
else:
7777
return number_format(value, use_l10n=True, force_grouping=True)
78-
orig = str(value)
79-
new = re.sub(r"^(-?\d+)(\d{3})", r"\g<1>,\g<2>", orig)
80-
if orig == new:
81-
return new
82-
else:
83-
return intcomma(new, use_l10n)
78+
result = str(value)
79+
match = re.match(r"-?\d+", result)
80+
if match:
81+
prefix = match[0]
82+
prefix_with_commas = re.sub(r"\d{3}", r"\g<0>,", prefix[::-1])[::-1]
83+
result = prefix_with_commas + result[len(prefix) :]
84+
return result
8485

8586

8687
# A tuple of standard large number to their converters

docs/releases/3.2.24.txt

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,4 +6,8 @@ Django 3.2.24 release notes
66

77
Django 3.2.24 fixes a security issue with severity "moderate" in 3.2.23.
88

9-
...
9+
CVE-2024-24680: Potential denial-of-service in ``intcomma`` template filter
10+
===========================================================================
11+
12+
The ``intcomma`` template filter was subject to a potential denial-of-service
13+
attack when used with very long strings.

docs/releases/4.2.10.txt

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,4 +6,8 @@ Django 4.2.10 release notes
66

77
Django 4.2.10 fixes a security issue with severity "moderate" in 4.2.9.
88

9-
...
9+
CVE-2024-24680: Potential denial-of-service in ``intcomma`` template filter
10+
===========================================================================
11+
12+
The ``intcomma`` template filter was subject to a potential denial-of-service
13+
attack when used with very long strings.

tests/humanize_tests/tests.py

Lines changed: 64 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -116,79 +116,143 @@ def test_i18n_html_ordinal(self):
116116
def test_intcomma(self):
117117
test_list = (
118118
100,
119+
-100,
119120
1000,
121+
-1000,
120122
10123,
123+
-10123,
121124
10311,
125+
-10311,
122126
1000000,
127+
-1000000,
123128
1234567.25,
129+
-1234567.25,
124130
"100",
131+
"-100",
125132
"1000",
133+
"-1000",
126134
"10123",
135+
"-10123",
127136
"10311",
137+
"-10311",
128138
"1000000",
139+
"-1000000",
129140
"1234567.1234567",
141+
"-1234567.1234567",
130142
Decimal("1234567.1234567"),
143+
Decimal("-1234567.1234567"),
131144
None,
132145
"1234567",
146+
"-1234567",
133147
"1234567.12",
148+
"-1234567.12",
149+
"the quick brown fox jumped over the lazy dog",
134150
)
135151
result_list = (
136152
"100",
153+
"-100",
137154
"1,000",
155+
"-1,000",
138156
"10,123",
157+
"-10,123",
139158
"10,311",
159+
"-10,311",
140160
"1,000,000",
161+
"-1,000,000",
141162
"1,234,567.25",
163+
"-1,234,567.25",
142164
"100",
165+
"-100",
143166
"1,000",
167+
"-1,000",
144168
"10,123",
169+
"-10,123",
145170
"10,311",
171+
"-10,311",
146172
"1,000,000",
173+
"-1,000,000",
147174
"1,234,567.1234567",
175+
"-1,234,567.1234567",
148176
"1,234,567.1234567",
177+
"-1,234,567.1234567",
149178
None,
150179
"1,234,567",
180+
"-1,234,567",
151181
"1,234,567.12",
182+
"-1,234,567.12",
183+
"the quick brown fox jumped over the lazy dog",
152184
)
153185
with translation.override("en"):
154186
self.humanize_tester(test_list, result_list, "intcomma")
155187

156188
def test_l10n_intcomma(self):
157189
test_list = (
158190
100,
191+
-100,
159192
1000,
193+
-1000,
160194
10123,
195+
-10123,
161196
10311,
197+
-10311,
162198
1000000,
199+
-1000000,
163200
1234567.25,
201+
-1234567.25,
164202
"100",
203+
"-100",
165204
"1000",
205+
"-1000",
166206
"10123",
207+
"-10123",
167208
"10311",
209+
"-10311",
168210
"1000000",
211+
"-1000000",
169212
"1234567.1234567",
213+
"-1234567.1234567",
170214
Decimal("1234567.1234567"),
215+
-Decimal("1234567.1234567"),
171216
None,
172217
"1234567",
218+
"-1234567",
173219
"1234567.12",
220+
"-1234567.12",
221+
"the quick brown fox jumped over the lazy dog",
174222
)
175223
result_list = (
176224
"100",
225+
"-100",
177226
"1,000",
227+
"-1,000",
178228
"10,123",
229+
"-10,123",
179230
"10,311",
231+
"-10,311",
180232
"1,000,000",
233+
"-1,000,000",
181234
"1,234,567.25",
235+
"-1,234,567.25",
182236
"100",
237+
"-100",
183238
"1,000",
239+
"-1,000",
184240
"10,123",
241+
"-10,123",
185242
"10,311",
243+
"-10,311",
186244
"1,000,000",
245+
"-1,000,000",
187246
"1,234,567.1234567",
247+
"-1,234,567.1234567",
188248
"1,234,567.1234567",
249+
"-1,234,567.1234567",
189250
None,
190251
"1,234,567",
252+
"-1,234,567",
191253
"1,234,567.12",
254+
"-1,234,567.12",
255+
"the quick brown fox jumped over the lazy dog",
192256
)
193257
with self.settings(USE_THOUSAND_SEPARATOR=False):
194258
with translation.override("en"):

0 commit comments

Comments
 (0)