+48
-0
lines changedFilter options
+48
-0
lines changed Original file line number Diff line number Diff line change
@@ -164,6 +164,19 @@ def floatformat(text, arg=-1):
164 164
except ValueError:
165 165
return input_val
166 166 167 +
_, digits, exponent = d.as_tuple()
168 +
try:
169 +
number_of_digits_and_exponent_sum = len(digits) + abs(exponent)
170 +
except TypeError:
171 +
# Exponent values can be "F", "n", "N".
172 +
number_of_digits_and_exponent_sum = 0
173 + 174 +
# Values with more than 200 digits, or with a large exponent, are returned "as is"
175 +
# to avoid high memory consumption and potential denial-of-service attacks.
176 +
# The cut-off of 200 is consistent with django.utils.numberformat.floatformat().
177 +
if number_of_digits_and_exponent_sum > 200:
178 +
return input_val
179 + 167 180
try:
168 181
m = int(d) - d
169 182
except (ValueError, OverflowError, InvalidOperation):
@@ -7,6 +7,15 @@ Django 4.2.15 release notes
7 7
Django 4.2.15 fixes three security issues with severity "moderate", one
8 8
security issue with severity "high", and a regression in 4.2.14.
9 9 10 +
CVE-2024-41989: Memory exhaustion in ``django.utils.numberformat.floatformat()``
11 +
================================================================================
12 + 13 +
If :tfilter:`floatformat` received a string representation of a number in
14 +
scientific notation with a large exponent, it could lead to significant memory
15 +
consumption.
16 + 17 +
To avoid this, decimals with more than 200 digits are now returned as is.
18 + 10 19
Bugfixes
11 20
========
12 21
@@ -7,6 +7,15 @@ Django 5.0.8 release notes
7 7
Django 5.0.8 fixes three security issues with severity "moderate", one security
8 8
issue with severity "high", and several bugs in 5.0.7.
9 9 10 +
CVE-2024-41989: Memory exhaustion in ``django.utils.numberformat.floatformat()``
11 +
================================================================================
12 + 13 +
If :tfilter:`floatformat` received a string representation of a number in
14 +
scientific notation with a large exponent, it could lead to significant memory
15 +
consumption.
16 + 17 +
To avoid this, decimals with more than 200 digits are now returned as is.
18 + 10 19
Bugfixes
11 20
========
12 21
@@ -77,6 +77,7 @@ def test_inputs(self):
77 77
self.assertEqual(floatformat(1.5e-15, 20), "0.00000000000000150000")
78 78
self.assertEqual(floatformat(1.5e-15, -20), "0.00000000000000150000")
79 79
self.assertEqual(floatformat(1.00000000000000015, 16), "1.0000000000000002")
80 +
self.assertEqual(floatformat("1e199"), "1" + "0" * 199)
80 81 81 82
def test_force_grouping(self):
82 83
with translation.override("en"):
@@ -134,6 +135,22 @@ def test_infinity(self):
134 135
self.assertEqual(floatformat(pos_inf), "inf")
135 136
self.assertEqual(floatformat(neg_inf), "-inf")
136 137
self.assertEqual(floatformat(pos_inf / pos_inf), "nan")
138 +
self.assertEqual(floatformat("inf"), "inf")
139 +
self.assertEqual(floatformat("NaN"), "NaN")
140 + 141 +
def test_too_many_digits_to_render(self):
142 +
cases = [
143 +
"1e200",
144 +
"1E200",
145 +
"1E10000000000000000",
146 +
"-1E10000000000000000",
147 +
"1e10000000000000000",
148 +
"-1e10000000000000000",
149 +
"1" + "0" * 1_000_000,
150 +
]
151 +
for value in cases:
152 +
with self.subTest(value=value):
153 +
self.assertEqual(floatformat(value), value)
137 154 138 155
def test_float_dunder_method(self):
139 156
class FloatWrapper:
You can’t perform that action at this time.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4