File CVE-2024-24680.patch of Package python-Django1
From 05cf3ad796a8427818f712d585f0fe9c0f6e0c13 Mon Sep 17 00:00:00 2001
From: Adam Johnson <me@adamj.eu>
Date: Mon, 22 Jan 2024 13:21:13 +0000
Subject: [PATCH] [3.2.x] Fixed CVE-2024-24680 -- Mitigated potential DoS in
intcomma template filter.
Thanks Seokchan Yoon for the report.
Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Co-authored-by: Shai Berger <shai@platonix.com>
---
.../contrib/humanize/templatetags/humanize.py | 13 +-
docs/releases/3.2.24.txt | 13 ++
tests/humanize_tests/tests.py | 128 ++++++++++++++++--
3 files changed, 134 insertions(+), 20 deletions(-)
create mode 100644 docs/releases/3.2.24.txt
diff --git a/django/contrib/humanize/templatetags/humanize.py b/django/contrib/humanize/templatetags/humanize.py
index d7d8f2f897..05c67ae2d9 100644
--- a/django/contrib/humanize/templatetags/humanize.py
+++ b/django/contrib/humanize/templatetags/humanize.py
@@ -48,12 +48,13 @@ def intcomma(value, use_l10n=True):
return intcomma(value, False)
else:
return number_format(value, force_grouping=True)
- orig = force_text(value)
- new = re.sub(r"^(-?\d+)(\d{3})", r'\g<1>,\g<2>', orig)
- if orig == new:
- return new
- else:
- return intcomma(new, use_l10n)
+ result = force_text(value)
+ match = re.match(r"-?\d{4,}", result)
+ if match:
+ prefix = match.group(0)
+ prefix_with_commas = re.sub(r"\d{3}", r"\g<0>,", prefix[::-1])[::-1]
+ result = prefix_with_commas + result[len(prefix) :]
+ return result
# A tuple of standard large number to their converters
diff --git a/docs/releases/3.2.24.txt b/docs/releases/3.2.24.txt
new file mode 100644
index 0000000000..67be0f65d1
--- /dev/null
+++ b/docs/releases/3.2.24.txt
@@ -0,0 +1,13 @@
+===========================
+Django 3.2.24 release notes
+===========================
+
+*February 6, 2024*
+
+Django 3.2.24 fixes a security issue with severity "moderate" in 3.2.23.
+
+CVE-2024-24680: Potential denial-of-service in ``intcomma`` template filter
+===========================================================================
+
+The ``intcomma`` template filter was subject to a potential denial-of-service
+attack when used with very long strings.
diff --git a/tests/humanize_tests/tests.py b/tests/humanize_tests/tests.py
index a3cc512239..e3291be69a 100644
--- a/tests/humanize_tests/tests.py
+++ b/tests/humanize_tests/tests.py
@@ -35,8 +35,8 @@ class HumanizeTests(SimpleTestCase):
for test_content, result in zip(test_list, result_list):
t = Template('{%% load humanize %%}{{ test_content|%s }}' % method)
rendered = t.render(Context(locals())).strip()
- self.assertEqual(rendered, normalize_result_func(result),
- msg="%s test failed, produced '%s', should've produced '%s'" % (method, rendered, result))
+ self.assertEqual(rendered.encode('utf-8'), normalize_result_func(result).encode('utf-8'),
+ msg="%s test failed, %s produced '%s', should've produced '%s'" % (method, test_content, rendered, result))
def test_ordinal(self):
test_list = ('1', '2', '3', '4', '11', '12',
@@ -64,28 +64,128 @@ class HumanizeTests(SimpleTestCase):
def test_intcomma(self):
test_list = (
- 100, 1000, 10123, 10311, 1000000, 1234567.25, '100', '1000',
- '10123', '10311', '1000000', '1234567.1234567',
- Decimal('1234567.1234567'), None,
+ 100,
+ -100,
+ 1000,
+ -1000,
+ 10123,
+ -10123,
+ 10311,
+ -10311,
+ 1000000,
+ -1000000,
+ 1234567.25,
+ -1234567.25,
+ "100",
+ "-100",
+ "1000",
+ "-1000",
+ "10123",
+ "-10123",
+ "10311",
+ "-10311",
+ "1000000",
+ "-1000000",
+ "1234567.1234567",
+ "-1234567.1234567",
+ Decimal("1234567.1234567"),
+ Decimal("-1234567.1234567"),
+ None,
+ "the quick brown fox jumped over the lazy dog",
)
result_list = (
- '100', '1,000', '10,123', '10,311', '1,000,000', '1,234,567.25',
- '100', '1,000', '10,123', '10,311', '1,000,000', '1,234,567.1234567',
- '1,234,567.1234567', None,
+ "100",
+ "-100",
+ "1,000",
+ "-1,000",
+ "10,123",
+ "-10,123",
+ "10,311",
+ "-10,311",
+ "1,000,000",
+ "-1,000,000",
+ "1,234,567.25",
+ "-1,234,567.25",
+ "100",
+ "-100",
+ "1,000",
+ "-1,000",
+ "10,123",
+ "-10,123",
+ "10,311",
+ "-10,311",
+ "1,000,000",
+ "-1,000,000",
+ "1,234,567.1234567",
+ "-1,234,567.1234567",
+ "1,234,567.1234567",
+ "-1,234,567.1234567",
+ None,
+ "the quick brown fox jumped over the lazy dog",
)
with translation.override('en'):
self.humanize_tester(test_list, result_list, 'intcomma')
def test_l10n_intcomma(self):
test_list = (
- 100, 1000, 10123, 10311, 1000000, 1234567.25, '100', '1000',
- '10123', '10311', '1000000', '1234567.1234567',
- Decimal('1234567.1234567'), None,
+ 100,
+ -100,
+ 1000,
+ -1000,
+ 10123,
+ -10123,
+ 10311,
+ -10311,
+ 1000000,
+ -1000000,
+ 1234567.25,
+ -1234567.25,
+ "100",
+ "-100",
+ "1000",
+ "-1000",
+ "10123",
+ "-10123",
+ "10311",
+ "-10311",
+ "1000000",
+ "-1000000",
+ "1234567.1234567",
+ "-1234567.1234567",
+ Decimal("1234567.1234567"),
+ -Decimal("1234567.1234567"),
+ None,
+ "the quick brown fox jumped over the lazy dog",
)
result_list = (
- '100', '1,000', '10,123', '10,311', '1,000,000', '1,234,567.25',
- '100', '1,000', '10,123', '10,311', '1,000,000', '1,234,567.1234567',
- '1,234,567.1234567', None,
+ "100",
+ "-100",
+ "1,000",
+ "-1,000",
+ "10,123",
+ "-10,123",
+ "10,311",
+ "-10,311",
+ "1,000,000",
+ "-1,000,000",
+ "1,234,567.25",
+ "-1,234,567.25",
+ "100",
+ "-100",
+ "1,000",
+ "-1,000",
+ "10,123",
+ "-10,123",
+ "10,311",
+ "-10,311",
+ "1,000,000",
+ "-1,000,000",
+ "1,234,567.1234567",
+ "-1,234,567.1234567",
+ "1,234,567.1234567",
+ "-1,234,567.1234567",
+ None,
+ "the quick brown fox jumped over the lazy dog",
)
with self.settings(USE_L10N=True, USE_THOUSAND_SEPARATOR=False):
with translation.override('en'):
--
2.35.3
