+81
-8
lines changedFilter options
+81
-8
lines changed Original file line number Diff line number Diff line change
@@ -75,12 +75,13 @@ def intcomma(value, use_l10n=True):
75 75
return intcomma(value, False)
76 76
else:
77 77
return number_format(value, use_l10n=True, force_grouping=True)
78 -
orig = str(value)
79 -
new = re.sub(r"^(-?\d+)(\d{3})", r"\g<1>,\g<2>", orig)
80 -
if orig == new:
81 -
return new
82 -
else:
83 -
return intcomma(new, use_l10n)
78 +
result = str(value)
79 +
match = re.match(r"-?\d+", result)
80 +
if match:
81 +
prefix = match[0]
82 +
prefix_with_commas = re.sub(r"\d{3}", r"\g<0>,", prefix[::-1])[::-1]
83 +
result = prefix_with_commas + result[len(prefix) :]
84 +
return result
84 85 85 86 86 87
# A tuple of standard large number to their converters
@@ -6,4 +6,8 @@ Django 3.2.24 release notes
6 6 7 7
Django 3.2.24 fixes a security issue with severity "moderate" in 3.2.23.
8 8 9 -
...
9 +
CVE-2024-24680: Potential denial-of-service in ``intcomma`` template filter
10 +
===========================================================================
11 + 12 +
The ``intcomma`` template filter was subject to a potential denial-of-service
13 +
attack when used with very long strings.
Original file line number Diff line number Diff line change
@@ -6,4 +6,8 @@ Django 4.2.10 release notes
6 6 7 7
Django 4.2.10 fixes a security issue with severity "moderate" in 4.2.9.
8 8 9 -
...
9 +
CVE-2024-24680: Potential denial-of-service in ``intcomma`` template filter
10 +
===========================================================================
11 + 12 +
The ``intcomma`` template filter was subject to a potential denial-of-service
13 +
attack when used with very long strings.
Original file line number Diff line number Diff line change
@@ -116,79 +116,143 @@ def test_i18n_html_ordinal(self):
116 116
def test_intcomma(self):
117 117
test_list = (
118 118
100,
119 +
-100,
119 120
1000,
121 +
-1000,
120 122
10123,
123 +
-10123,
121 124
10311,
125 +
-10311,
122 126
1000000,
127 +
-1000000,
123 128
1234567.25,
129 +
-1234567.25,
124 130
"100",
131 +
"-100",
125 132
"1000",
133 +
"-1000",
126 134
"10123",
135 +
"-10123",
127 136
"10311",
137 +
"-10311",
128 138
"1000000",
139 +
"-1000000",
129 140
"1234567.1234567",
141 +
"-1234567.1234567",
130 142
Decimal("1234567.1234567"),
143 +
Decimal("-1234567.1234567"),
131 144
None,
132 145
"1234567",
146 +
"-1234567",
133 147
"1234567.12",
148 +
"-1234567.12",
149 +
"the quick brown fox jumped over the lazy dog",
134 150
)
135 151
result_list = (
136 152
"100",
153 +
"-100",
137 154
"1,000",
155 +
"-1,000",
138 156
"10,123",
157 +
"-10,123",
139 158
"10,311",
159 +
"-10,311",
140 160
"1,000,000",
161 +
"-1,000,000",
141 162
"1,234,567.25",
163 +
"-1,234,567.25",
142 164
"100",
165 +
"-100",
143 166
"1,000",
167 +
"-1,000",
144 168
"10,123",
169 +
"-10,123",
145 170
"10,311",
171 +
"-10,311",
146 172
"1,000,000",
173 +
"-1,000,000",
147 174
"1,234,567.1234567",
175 +
"-1,234,567.1234567",
148 176
"1,234,567.1234567",
177 +
"-1,234,567.1234567",
149 178
None,
150 179
"1,234,567",
180 +
"-1,234,567",
151 181
"1,234,567.12",
182 +
"-1,234,567.12",
183 +
"the quick brown fox jumped over the lazy dog",
152 184
)
153 185
with translation.override("en"):
154 186
self.humanize_tester(test_list, result_list, "intcomma")
155 187 156 188
def test_l10n_intcomma(self):
157 189
test_list = (
158 190
100,
191 +
-100,
159 192
1000,
193 +
-1000,
160 194
10123,
195 +
-10123,
161 196
10311,
197 +
-10311,
162 198
1000000,
199 +
-1000000,
163 200
1234567.25,
201 +
-1234567.25,
164 202
"100",
203 +
"-100",
165 204
"1000",
205 +
"-1000",
166 206
"10123",
207 +
"-10123",
167 208
"10311",
209 +
"-10311",
168 210
"1000000",
211 +
"-1000000",
169 212
"1234567.1234567",
213 +
"-1234567.1234567",
170 214
Decimal("1234567.1234567"),
215 +
-Decimal("1234567.1234567"),
171 216
None,
172 217
"1234567",
218 +
"-1234567",
173 219
"1234567.12",
220 +
"-1234567.12",
221 +
"the quick brown fox jumped over the lazy dog",
174 222
)
175 223
result_list = (
176 224
"100",
225 +
"-100",
177 226
"1,000",
227 +
"-1,000",
178 228
"10,123",
229 +
"-10,123",
179 230
"10,311",
231 +
"-10,311",
180 232
"1,000,000",
233 +
"-1,000,000",
181 234
"1,234,567.25",
235 +
"-1,234,567.25",
182 236
"100",
237 +
"-100",
183 238
"1,000",
239 +
"-1,000",
184 240
"10,123",
241 +
"-10,123",
185 242
"10,311",
243 +
"-10,311",
186 244
"1,000,000",
245 +
"-1,000,000",
187 246
"1,234,567.1234567",
247 +
"-1,234,567.1234567",
188 248
"1,234,567.1234567",
249 +
"-1,234,567.1234567",
189 250
None,
190 251
"1,234,567",
252 +
"-1,234,567",
191 253
"1,234,567.12",
254 +
"-1,234,567.12",
255 +
"the quick brown fox jumped over the lazy dog",
192 256
)
193 257
with self.settings(USE_THOUSAND_SEPARATOR=False):
194 258
with translation.override("en"):
You can’t perform that action at this time.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4