From 0bbb560183fabf0533289700845dafa94951f227 Mon Sep 17 00:00:00 2001 From: Carlton Gibson <carlton.gibson@noumenal.es> Date: Mon, 11 Feb 2019 11:15:45 +0100 Subject: [PATCH] [1.11.x] Fixed CVE-2019-6975 -- Fixed memory exhaustion in utils.numberformat.format(). Thanks Sjoerd Job Postmus for the report and initial patch. Thanks Michael Manfre, Tim Graham, and Florian Apolloner for review. Backport of 402c0caa851e265410fbcaa55318f22d2bf22ee2 from master. --- django/utils/numberformat.py | 15 ++++++++++++++- 1 files changed, 14 insertions(+), 1 deletion(-) diff --git a/django/utils/numberformat.py b/django/utils/numberformat.py index ae5a3b547410..97d112aad2d8 100644 --- a/django/utils/numberformat.py +++ b/django/utils/numberformat.py @@ -30,7 +30,20 @@ def format(number, decimal_sep, decimal_pos=None, grouping=0, thousand_sep='', # sign sign = '' if isinstance(number, Decimal): - str_number = '{:f}'.format(number) + # Format values with more than 200 digits (an arbitrary cutoff) using + # scientific notation to avoid high memory usage in {:f}'.format(). + _, digits, exponent = number.as_tuple() + if abs(exponent) + len(digits) > 200: + number = '{:e}'.format(number) + coefficient, exponent = number.split('e') + # Format the coefficient. + coefficient = format( + coefficient, decimal_sep, decimal_pos, grouping, + thousand_sep, force_grouping, + ) + return '{}e{}'.format(coefficient, exponent) + else: + str_number = '{:f}'.format(number) else: str_number = six.text_type(number) if str_number[0] == '-':