Skip to content

Commit

Permalink
[5.0.x] Fixed CVE-2024-24680 -- Mitigated potential DoS in intcomma t…
Browse files Browse the repository at this point in the history
…emplate filter.

Thanks Seokchan Yoon for the report.

Co-authored-by: Mariusz Felisiak <[email protected]>
Co-authored-by: Natalia <[email protected]>
Co-authored-by: Shai Berger <[email protected]>
  • Loading branch information
4 people committed Feb 6, 2024
1 parent 2cfa3fb commit 16a8fe1
Show file tree
Hide file tree
Showing 5 changed files with 87 additions and 8 deletions.
13 changes: 7 additions & 6 deletions django/contrib/humanize/templatetags/humanize.py
Original file line number Diff line number Diff line change
Expand Up @@ -75,12 +75,13 @@ def intcomma(value, use_l10n=True):
return intcomma(value, False)
else:
return number_format(value, use_l10n=True, force_grouping=True)
orig = str(value)
new = re.sub(r"^(-?\d+)(\d{3})", r"\g<1>,\g<2>", orig)
if orig == new:
return new
else:
return intcomma(new, use_l10n)
result = str(value)
match = re.match(r"-?\d+", result)
if match:
prefix = match[0]
prefix_with_commas = re.sub(r"\d{3}", r"\g<0>,", prefix[::-1])[::-1]
result = prefix_with_commas + result[len(prefix) :]
return result


# A tuple of standard large number to their converters
Expand Down
6 changes: 5 additions & 1 deletion docs/releases/3.2.24.txt
Original file line number Diff line number Diff line change
Expand Up @@ -6,4 +6,8 @@ Django 3.2.24 release notes

Django 3.2.24 fixes a security issue with severity "moderate" in 3.2.23.

...
CVE-2024-24680: Potential denial-of-service in ``intcomma`` template filter
===========================================================================

The ``intcomma`` template filter was subject to a potential denial-of-service
attack when used with very long strings.
6 changes: 5 additions & 1 deletion docs/releases/4.2.10.txt
Original file line number Diff line number Diff line change
Expand Up @@ -6,4 +6,8 @@ Django 4.2.10 release notes

Django 4.2.10 fixes a security issue with severity "moderate" in 4.2.9.

...
CVE-2024-24680: Potential denial-of-service in ``intcomma`` template filter
===========================================================================

The ``intcomma`` template filter was subject to a potential denial-of-service
attack when used with very long strings.
6 changes: 6 additions & 0 deletions docs/releases/5.0.2.txt
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,12 @@ Django 5.0.2 release notes
Django 5.0.2 fixes a security issue with severity "moderate" and several bugs
in 5.0.1. Also, the latest string translations from Transifex are incorporated.

CVE-2024-24680: Potential denial-of-service in ``intcomma`` template filter
===========================================================================

The ``intcomma`` template filter was subject to a potential denial-of-service
attack when used with very long strings.

Bugfixes
========

Expand Down
64 changes: 64 additions & 0 deletions tests/humanize_tests/tests.py
Original file line number Diff line number Diff line change
Expand Up @@ -116,79 +116,143 @@ def test_i18n_html_ordinal(self):
def test_intcomma(self):
test_list = (
100,
-100,
1000,
-1000,
10123,
-10123,
10311,
-10311,
1000000,
-1000000,
1234567.25,
-1234567.25,
"100",
"-100",
"1000",
"-1000",
"10123",
"-10123",
"10311",
"-10311",
"1000000",
"-1000000",
"1234567.1234567",
"-1234567.1234567",
Decimal("1234567.1234567"),
Decimal("-1234567.1234567"),
None,
"1234567",
"-1234567",
"1234567.12",
"-1234567.12",
"the quick brown fox jumped over the lazy dog",
)
result_list = (
"100",
"-100",
"1,000",
"-1,000",
"10,123",
"-10,123",
"10,311",
"-10,311",
"1,000,000",
"-1,000,000",
"1,234,567.25",
"-1,234,567.25",
"100",
"-100",
"1,000",
"-1,000",
"10,123",
"-10,123",
"10,311",
"-10,311",
"1,000,000",
"-1,000,000",
"1,234,567.1234567",
"-1,234,567.1234567",
"1,234,567.1234567",
"-1,234,567.1234567",
None,
"1,234,567",
"-1,234,567",
"1,234,567.12",
"-1,234,567.12",
"the quick brown fox jumped over the lazy dog",
)
with translation.override("en"):
self.humanize_tester(test_list, result_list, "intcomma")

def test_l10n_intcomma(self):
test_list = (
100,
-100,
1000,
-1000,
10123,
-10123,
10311,
-10311,
1000000,
-1000000,
1234567.25,
-1234567.25,
"100",
"-100",
"1000",
"-1000",
"10123",
"-10123",
"10311",
"-10311",
"1000000",
"-1000000",
"1234567.1234567",
"-1234567.1234567",
Decimal("1234567.1234567"),
-Decimal("1234567.1234567"),
None,
"1234567",
"-1234567",
"1234567.12",
"-1234567.12",
"the quick brown fox jumped over the lazy dog",
)
result_list = (
"100",
"-100",
"1,000",
"-1,000",
"10,123",
"-10,123",
"10,311",
"-10,311",
"1,000,000",
"-1,000,000",
"1,234,567.25",
"-1,234,567.25",
"100",
"-100",
"1,000",
"-1,000",
"10,123",
"-10,123",
"10,311",
"-10,311",
"1,000,000",
"-1,000,000",
"1,234,567.1234567",
"-1,234,567.1234567",
"1,234,567.1234567",
"-1,234,567.1234567",
None,
"1,234,567",
"-1,234,567",
"1,234,567.12",
"-1,234,567.12",
"the quick brown fox jumped over the lazy dog",
)
with self.settings(USE_THOUSAND_SEPARATOR=False):
with translation.override("en"):
Expand Down

0 comments on commit 16a8fe1

Please sign in to comment.