mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-11-07 07:15:35 +00:00
Code Issues 32 Releases Wiki Activity

Fixed CVE-2024-24680 -- Mitigated potential DoS in intcomma template filter.

Browse Source 
Thanks Seokchan Yoon for the report.

Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Co-authored-by: Shai Berger <shai@platonix.com>
This commit is contained in:
Adam Johnson
2024-01-22 13:21:13 +00:00
committed by Natalia
parent 9cefdfc43f
commit 55519d6cf8
5 changed files with 87 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
django/contrib/humanize/templatetags/humanize.py
View File

@@ -75,12 +75,13 @@ def intcomma(value, use_l10n=True):
return intcomma(value, False)
else:
return number_format(value, use_l10n=True, force_grouping=True)
orig = str(value)
new = re.sub(r"^(-?\d+)(\d{3})", r"\g<1>,\g<2>", orig)
if orig == new:
return new
else:
return intcomma(new, use_l10n)
result = str(value)
match = re.match(r"-?\d+", result)
if match:
prefix = match[0]
prefix_with_commas = re.sub(r"\d{3}", r"\g<0>,", prefix[::-1])[::-1]
result = prefix_with_commas + result[len(prefix) :]
return result
# A tuple of standard large number to their converters