[Django] #35172: intcomma patch in CVE-2024-24680 causing leading comma when provided string-based 3-digit number with at least 1 decimal place

3 views

Skip to first unread message

Django

unread,

Feb 6, 2024, 11:18:36 PMFeb 6

to django-...@googlegroups.com

#35172: intcomma patch in CVE-2024-24680 causing leading comma when provided
string-based 3-digit number with at least 1 decimal place
-------------------------------------+-------------------------------------
Reporter: Warwick | Owner: nobody
Brown |
Type: | Status: new
Uncategorized |
Component: | Version: 4.2
contrib.humanize | Keywords: humanize intcomma
Severity: Normal | comma decimal places
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
I'm running (4, 2, 10, 'final', 0)

Just discovered that the patch to intcomma made in CVE-2024-24680 is
causing numbers to appear with a leading comma when they're 3 digits (ie
between 100 and 999) with at least 1 decimal place

{{{#!python
In [34]: intcomma('111')
Out[34]: '111'

In [35]: intcomma('111.1')
Out[35]: ',111.1'

In [36]: intcomma('99.1')
Out[36]: '99.1'

In [37]: intcomma('999.1')
Out[37]: ',999.1'
}}}

I note there doesn't appear to be a test in
`tests/humanize_tests/tests.py` for the case of a string "111.1"

I encountered this because I use `{{ price|floatformat:2|intcomma }}` in
templates, thus floatformat is providing a string to intcomma.
--
Ticket URL: <https://code.djangoproject.com/ticket/35172>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

Django

unread,

Feb 6, 2024, 11:19:02 PMFeb 6

to django-...@googlegroups.com

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------