File: 0019-CVE-2024-41989.patch

package info (click to toggle)
python-django 3%3A3.2.19-1%2Bdeb12u2
  • links: PTS, VCS
  • area: main
  • in suites: bookworm-proposed-updates
  • size: 56,696 kB
  • sloc: python: 264,418; javascript: 18,362; xml: 193; makefile: 178; sh: 43
file content (67 lines) | stat: -rw-r--r-- 2,792 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
 
commit c19465ad87e33b6122c886b97a202ad54cd43672
Author: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
Date:   Fri Jul 12 11:38:34 2024 +0200

    Fixed CVE-2024-41989 -- Prevented excessive memory consumption in floatformat.
    
    Thanks Elias Myllymäki for the report.
    
    Co-authored-by: Shai Berger <shai@platonix.com>

diff --git a/django/template/defaultfilters.py b/django/template/defaultfilters.py
index 02cac06bcf..66c6e76d20 100644
--- a/django/template/defaultfilters.py
+++ b/django/template/defaultfilters.py
@@ -146,6 +146,19 @@ def floatformat(text, arg=-1):
     except ValueError:
         return input_val
 
+    _, digits, exponent = d.as_tuple()
+    try:
+        number_of_digits_and_exponent_sum = len(digits) + abs(exponent)
+    except TypeError:
+        # Exponent values can be "F", "n", "N".
+        number_of_digits_and_exponent_sum = 0
+
+    # Values with more than 200 digits, or with a large exponent, are returned "as is"
+    # to avoid high memory consumption and potential denial-of-service attacks.
+    # The cut-off of 200 is consistent with django.utils.numberformat.floatformat().
+    if number_of_digits_and_exponent_sum > 200:
+        return input_val
+
     try:
         m = int(d) - d
     except (ValueError, OverflowError, InvalidOperation):
diff --git a/tests/template_tests/filter_tests/test_floatformat.py b/tests/template_tests/filter_tests/test_floatformat.py
index 145858b75f..3d6c34a552 100644
--- a/tests/template_tests/filter_tests/test_floatformat.py
+++ b/tests/template_tests/filter_tests/test_floatformat.py
@@ -59,6 +59,7 @@ class FunctionTests(SimpleTestCase):
         self.assertEqual(floatformat(1.5e-15, 20), '0.00000000000000150000')
         self.assertEqual(floatformat(1.5e-15, -20), '0.00000000000000150000')
         self.assertEqual(floatformat(1.00000000000000015, 16), '1.0000000000000002')
+        self.assertEqual(floatformat("1e199"), "1" + "0" * 199)
 
     @override_settings(USE_L10N=True)
     def test_force_grouping(self):
@@ -96,6 +97,20 @@ class FunctionTests(SimpleTestCase):
         self.assertEqual(floatformat(pos_inf), 'inf')
         self.assertEqual(floatformat(neg_inf), '-inf')
         self.assertEqual(floatformat(pos_inf / pos_inf), 'nan')
+
+    def test_too_many_digits_to_render(self):
+        cases = [
+            "1e200",
+            "1E200",
+            "1E10000000000000000",
+            "-1E10000000000000000",
+            "1e10000000000000000",
+            "-1e10000000000000000",
+            "1" + "0" * 1_000_000,
+        ]
+        for value in cases:
+            with self.subTest(value=value):
+                self.assertEqual(floatformat(value), "'" + value + "'")
 
     def test_float_dunder_method(self):
         class FloatWrapper: