[5.0.x] Fixed CVE-2024-41989 -- Prevented excessive memory consumption in floatformat.

Thanks Elias Myllymäki for the report. Co-authored-by: Shai Berger <shai@platonix.com>
author: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> 2024-07-12 11:38:34 +0200
committer: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> 2024-08-06 08:51:55 +0200
commit: 27900fe56f3d3cabb4aeb6ccb82f92bab29073a8 (patch)
tree: 65ecf56c743ebf44ac79d96124ddc9a7f7fd5d6e /django
parent: d7f955462cb17e74c2a1701ea7f722f2ed2bc168 (diff)
1 files changed, 13 insertions, 0 deletions
diff --git a/django/template/defaultfilters.py b/django/template/defaultfilters.py
index 1f1ea4d7a9..b71c5555f0 100644
--- a/django/template/defaultfilters.py
+++ b/django/template/defaultfilters.py
@@ -164,6 +164,19 @@ def floatformat(text, arg=-1):
     except ValueError:
         return input_val
 
+    _, digits, exponent = d.as_tuple()
+    try:
+        number_of_digits_and_exponent_sum = len(digits) + abs(exponent)
+    except TypeError:
+        # Exponent values can be "F", "n", "N".
+        number_of_digits_and_exponent_sum = 0
+
+    # Values with more than 200 digits, or with a large exponent, are returned "as is"
+    # to avoid high memory consumption and potential denial-of-service attacks.
+    # The cut-off of 200 is consistent with django.utils.numberformat.floatformat().
+    if number_of_digits_and_exponent_sum > 200:
+        return input_val
+
     try:
         m = int(d) - d
     except (ValueError, OverflowError, InvalidOperation):
author	Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>	2024-07-12 11:38:34 +0200
committer	Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>	2024-08-06 08:51:55 +0200
commit	27900fe56f3d3cabb4aeb6ccb82f92bab29073a8 (patch)
tree	65ecf56c743ebf44ac79d96124ddc9a7f7fd5d6e /django
parent	d7f955462cb17e74c2a1701ea7f722f2ed2bc168 (diff)