Opened 3 days ago
Last modified 42 hours ago
#36715 assigned Bug
intcomma filter crashes on non-finite numbers — at Initial Version
| Reported by: | Tim Graham | Owned by: | |
|---|---|---|---|
| Component: | contrib.humanize | Version: | 5.2 |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Ready for checkin | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | yes | UI/UX: | no |
Description
From Skrc Prst (skrcprst) on HackerOne:
When looking at humanize filters I discovered intcomma filter does not robustly handle values that are not a finite number, like Inf, -Inf, Infinity, -Infinity, NaN or sNaN, and raises a TypeError that is not caught in the calling code.
diff --git a/tests/humanize_tests/tests.py b/tests/humanize_tests/tests.py index ab967e2874..8b90245311 100644 --- a/tests/humanize_tests/tests.py +++ b/tests/humanize_tests/tests.py @@ -153,6 +153,7 @@ class HumanizeTests(SimpleTestCase): "-1234567.1234567", Decimal("1234567.1234567"), Decimal("-1234567.1234567"), + Decimal("Infinity"), None, "1234567", "-1234567",
Observe a crash:
# Format values with more than 200 digits (an arbitrary cutoff) using
# scientific notation to avoid high memory usage in {:f}'.format().
_, digits, exponent = number.as_tuple()
> if abs(exponent) + len(digits) > 200:
^^^^^^^^^^^^^
E TypeError: bad operand type for abs(): 'str'
The code could be fortified with something like:
diff --git a/django/utils/numberformat.py b/django/utils/numberformat.py index cf8b2d219c..1f9ae840a5 100644 --- a/django/utils/numberformat.py +++ b/django/utils/numberformat.py @@ -48,6 +48,10 @@ def format( if abs(number) < cutoff: number = Decimal("0") + if not number.is_finite(): + # like NaN or Infinity + return str(number) + # Format values with more than 200 digits (an arbitrary cutoff) using # scientific notation to avoid high memory usage in {:f}'.format(). _, digits, exponent = number.as_tuple()
Note:
See TracTickets
for help on using tickets.