1
0
mirror of https://github.com/django/django.git synced 2024-12-22 09:05:43 +00:00

Fixed CVE-2024-24680 -- Mitigated potential DoS in intcomma template filter.

Thanks Seokchan Yoon for the report.

Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Co-authored-by: Shai Berger <shai@platonix.com>
This commit is contained in:
Adam Johnson 2024-01-22 13:21:13 +00:00 committed by Natalia
parent 9cefdfc43f
commit 55519d6cf8
5 changed files with 87 additions and 8 deletions

View File

@ -75,12 +75,13 @@ def intcomma(value, use_l10n=True):
return intcomma(value, False)
else:
return number_format(value, use_l10n=True, force_grouping=True)
orig = str(value)
new = re.sub(r"^(-?\d+)(\d{3})", r"\g<1>,\g<2>", orig)
if orig == new:
return new
else:
return intcomma(new, use_l10n)
result = str(value)
match = re.match(r"-?\d+", result)
if match:
prefix = match[0]
prefix_with_commas = re.sub(r"\d{3}", r"\g<0>,", prefix[::-1])[::-1]
result = prefix_with_commas + result[len(prefix) :]
return result
# A tuple of standard large number to their converters

View File

@ -6,4 +6,8 @@ Django 3.2.24 release notes
Django 3.2.24 fixes a security issue with severity "moderate" in 3.2.23.
...
CVE-2024-24680: Potential denial-of-service in ``intcomma`` template filter
===========================================================================
The ``intcomma`` template filter was subject to a potential denial-of-service
attack when used with very long strings.

View File

@ -6,4 +6,8 @@ Django 4.2.10 release notes
Django 4.2.10 fixes a security issue with severity "moderate" in 4.2.9.
...
CVE-2024-24680: Potential denial-of-service in ``intcomma`` template filter
===========================================================================
The ``intcomma`` template filter was subject to a potential denial-of-service
attack when used with very long strings.

View File

@ -7,6 +7,12 @@ Django 5.0.2 release notes
Django 5.0.2 fixes a security issue with severity "moderate" and several bugs
in 5.0.1. Also, the latest string translations from Transifex are incorporated.
CVE-2024-24680: Potential denial-of-service in ``intcomma`` template filter
===========================================================================
The ``intcomma`` template filter was subject to a potential denial-of-service
attack when used with very long strings.
Bugfixes
========

View File

@ -116,39 +116,71 @@ class HumanizeTests(SimpleTestCase):
def test_intcomma(self):
test_list = (
100,
-100,
1000,
-1000,
10123,
-10123,
10311,
-10311,
1000000,
-1000000,
1234567.25,
-1234567.25,
"100",
"-100",
"1000",
"-1000",
"10123",
"-10123",
"10311",
"-10311",
"1000000",
"-1000000",
"1234567.1234567",
"-1234567.1234567",
Decimal("1234567.1234567"),
Decimal("-1234567.1234567"),
None,
"",
"-",
".",
"-.",
"the quick brown fox jumped over the lazy dog",
)
result_list = (
"100",
"-100",
"1,000",
"-1,000",
"10,123",
"-10,123",
"10,311",
"-10,311",
"1,000,000",
"-1,000,000",
"1,234,567.25",
"-1,234,567.25",
"100",
"-100",
"1,000",
"-1,000",
"10,123",
"-10,123",
"10,311",
"-10,311",
"1,000,000",
"-1,000,000",
"1,234,567.1234567",
"-1,234,567.1234567",
"1,234,567.1234567",
"-1,234,567.1234567",
None,
"1,234,567",
"-1,234,567",
",,.",
"-,,.",
"the quick brown fox jumped over the lazy dog",
)
with translation.override("en"):
self.humanize_tester(test_list, result_list, "intcomma")
@ -156,39 +188,71 @@ class HumanizeTests(SimpleTestCase):
def test_l10n_intcomma(self):
test_list = (
100,
-100,
1000,
-1000,
10123,
-10123,
10311,
-10311,
1000000,
-1000000,
1234567.25,
-1234567.25,
"100",
"-100",
"1000",
"-1000",
"10123",
"-10123",
"10311",
"-10311",
"1000000",
"-1000000",
"1234567.1234567",
"-1234567.1234567",
Decimal("1234567.1234567"),
-Decimal("1234567.1234567"),
None,
"",
"-",
".",
"-.",
"the quick brown fox jumped over the lazy dog",
)
result_list = (
"100",
"-100",
"1,000",
"-1,000",
"10,123",
"-10,123",
"10,311",
"-10,311",
"1,000,000",
"-1,000,000",
"1,234,567.25",
"-1,234,567.25",
"100",
"-100",
"1,000",
"-1,000",
"10,123",
"-10,123",
"10,311",
"-10,311",
"1,000,000",
"-1,000,000",
"1,234,567.1234567",
"-1,234,567.1234567",
"1,234,567.1234567",
"-1,234,567.1234567",
None,
"1,234,567",
"-1,234,567",
",,.",
"-,,.",
"the quick brown fox jumped over the lazy dog",
)
with self.settings(USE_THOUSAND_SEPARATOR=False):
with translation.override("en"):