Fixed #30363 -- Do not use exponential notation for small decimal numbers.

In 9cc6a60040b0f64f8ea066dd215176d4bd16621d a security patch was
introduced to prevent allocating large segments of memory when a
very large or very small decimal number was to be formatted.

As a side-effect, there was a change in formatting of small decimal
numbers even when the `decimal_pos` argument was provided, which meant
that reasonable small decimal numbers (above 1e-199) would be formatted
as `0.00`, while smaller decimal numbers (under 1e-200) would be
formatted as `1e-200`.

1 files changed, 8 insertions, 0 deletions

diff --git a/django/utils/numberformat.py b/django/utils/numberformat.py
index 88b35fc435..961a60e37d 100644
--- a/django/utils/numberformat.py
+++ b/django/utils/numberformat.py
@@ -27,6 +27,14 @@ def format(number, decimal_sep, decimal_pos=None, grouping=0, thousand_sep='',
     # sign
     sign = ''
     if isinstance(number, Decimal):
+
+        if decimal_pos is not None:
+            # If the provided number is too small to affect any of the visible
+            # decimal places, consider it equal to '0'.
+            cutoff = Decimal('0.' + '1'.rjust(decimal_pos, '0'))
+            if abs(number) < cutoff:
+                number = Decimal('0')
+
         # Format values with more than 200 digits (an arbitrary cutoff) using
         # scientific notation to avoid high memory usage in {:f}'.format().
         _, digits, exponent = number.as_tuple()