diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index c7ec6da8e2cd..4206c58e3515 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -49,7 +49,7 @@ jobs: uses: actions/setup-python@v4 with: python-version: '3.11' - - run: python -m pip install blacken-docs + - run: python -m pip install "black==23.12.1" blacken-docs - name: Build docs run: | cd docs diff --git a/.github/workflows/linters.yml b/.github/workflows/linters.yml index 28526264a919..8f95264b9e70 100644 --- a/.github/workflows/linters.yml +++ b/.github/workflows/linters.yml @@ -59,4 +59,4 @@ jobs: - name: Checkout uses: actions/checkout@v4 - name: black - uses: psf/black@stable + uses: psf/black@23.12.1 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 14facba6d044..0e65e53e3f1c 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: https://github.com/psf/black - rev: 23.3.0 + rev: 23.12.1 hooks: - id: black exclude: \.py-tpl$ @@ -9,7 +9,7 @@ repos: hooks: - id: blacken-docs additional_dependencies: - - black==23.3.0 + - black==23.12.1 - repo: https://github.com/PyCQA/isort rev: 5.12.0 hooks: diff --git a/django/__init__.py b/django/__init__.py index 949c6bb0e7ea..dc83a622dde7 100644 --- a/django/__init__.py +++ b/django/__init__.py @@ -1,6 +1,6 @@ from django.utils.version import get_version -VERSION = (4, 2, 9, "final", 0) +VERSION = (4, 2, 10, "final", 0) __version__ = get_version(VERSION) diff --git a/django/contrib/humanize/templatetags/humanize.py b/django/contrib/humanize/templatetags/humanize.py index 23224779c558..2c26f8944a78 100644 --- a/django/contrib/humanize/templatetags/humanize.py +++ b/django/contrib/humanize/templatetags/humanize.py @@ -75,12 +75,13 @@ def intcomma(value, use_l10n=True): return intcomma(value, False) else: return number_format(value, use_l10n=True, force_grouping=True) - orig = str(value) - new = re.sub(r"^(-?\d+)(\d{3})", r"\g<1>,\g<2>", orig) - if orig == new: - return new - else: - return intcomma(new, use_l10n) + result = str(value) + match = re.match(r"-?\d+", result) + if match: + prefix = match[0] + prefix_with_commas = re.sub(r"\d{3}", r"\g<0>,", prefix[::-1])[::-1] + result = prefix_with_commas + result[len(prefix) :] + return result # A tuple of standard large number to their converters diff --git a/docs/releases/3.2.24.txt b/docs/releases/3.2.24.txt new file mode 100644 index 000000000000..67be0f65d189 --- /dev/null +++ b/docs/releases/3.2.24.txt @@ -0,0 +1,13 @@ +=========================== +Django 3.2.24 release notes +=========================== + +*February 6, 2024* + +Django 3.2.24 fixes a security issue with severity "moderate" in 3.2.23. + +CVE-2024-24680: Potential denial-of-service in ``intcomma`` template filter +=========================================================================== + +The ``intcomma`` template filter was subject to a potential denial-of-service +attack when used with very long strings. diff --git a/docs/releases/4.2.10.txt b/docs/releases/4.2.10.txt new file mode 100644 index 000000000000..7cdfa698144f --- /dev/null +++ b/docs/releases/4.2.10.txt @@ -0,0 +1,13 @@ +=========================== +Django 4.2.10 release notes +=========================== + +*February 6, 2024* + +Django 4.2.10 fixes a security issue with severity "moderate" in 4.2.9. + +CVE-2024-24680: Potential denial-of-service in ``intcomma`` template filter +=========================================================================== + +The ``intcomma`` template filter was subject to a potential denial-of-service +attack when used with very long strings. diff --git a/docs/releases/index.txt b/docs/releases/index.txt index abc7988f46a5..01883a44b515 100644 --- a/docs/releases/index.txt +++ b/docs/releases/index.txt @@ -26,6 +26,7 @@ versions of the documentation contain the release notes for any later releases. .. toctree:: :maxdepth: 1 + 4.2.10 4.2.9 4.2.8 4.2.7 @@ -79,6 +80,7 @@ versions of the documentation contain the release notes for any later releases. .. toctree:: :maxdepth: 1 + 3.2.24 3.2.23 3.2.22 3.2.21 diff --git a/docs/requirements.txt b/docs/requirements.txt index e234972a3bd1..7708cbe58810 100644 --- a/docs/requirements.txt +++ b/docs/requirements.txt @@ -1,4 +1,5 @@ pyenchant Sphinx>=4.5.0 sphinxcontrib-spelling +black==23.12.1 blacken-docs diff --git a/tests/humanize_tests/tests.py b/tests/humanize_tests/tests.py index cf29f5823293..a78bbadafd89 100644 --- a/tests/humanize_tests/tests.py +++ b/tests/humanize_tests/tests.py @@ -116,39 +116,71 @@ def test_i18n_html_ordinal(self): def test_intcomma(self): test_list = ( 100, + -100, 1000, + -1000, 10123, + -10123, 10311, + -10311, 1000000, + -1000000, 1234567.25, + -1234567.25, "100", + "-100", "1000", + "-1000", "10123", + "-10123", "10311", + "-10311", "1000000", + "-1000000", "1234567.1234567", + "-1234567.1234567", Decimal("1234567.1234567"), + Decimal("-1234567.1234567"), None, "1234567", + "-1234567", "1234567.12", + "-1234567.12", + "the quick brown fox jumped over the lazy dog", ) result_list = ( "100", + "-100", "1,000", + "-1,000", "10,123", + "-10,123", "10,311", + "-10,311", "1,000,000", + "-1,000,000", "1,234,567.25", + "-1,234,567.25", "100", + "-100", "1,000", + "-1,000", "10,123", + "-10,123", "10,311", + "-10,311", "1,000,000", + "-1,000,000", "1,234,567.1234567", + "-1,234,567.1234567", "1,234,567.1234567", + "-1,234,567.1234567", None, "1,234,567", + "-1,234,567", "1,234,567.12", + "-1,234,567.12", + "the quick brown fox jumped over the lazy dog", ) with translation.override("en"): self.humanize_tester(test_list, result_list, "intcomma") @@ -156,39 +188,71 @@ def test_intcomma(self): def test_l10n_intcomma(self): test_list = ( 100, + -100, 1000, + -1000, 10123, + -10123, 10311, + -10311, 1000000, + -1000000, 1234567.25, + -1234567.25, "100", + "-100", "1000", + "-1000", "10123", + "-10123", "10311", + "-10311", "1000000", + "-1000000", "1234567.1234567", + "-1234567.1234567", Decimal("1234567.1234567"), + -Decimal("1234567.1234567"), None, "1234567", + "-1234567", "1234567.12", + "-1234567.12", + "the quick brown fox jumped over the lazy dog", ) result_list = ( "100", + "-100", "1,000", + "-1,000", "10,123", + "-10,123", "10,311", + "-10,311", "1,000,000", + "-1,000,000", "1,234,567.25", + "-1,234,567.25", "100", + "-100", "1,000", + "-1,000", "10,123", + "-10,123", "10,311", + "-10,311", "1,000,000", + "-1,000,000", "1,234,567.1234567", + "-1,234,567.1234567", "1,234,567.1234567", + "-1,234,567.1234567", None, "1,234,567", + "-1,234,567", "1,234,567.12", + "-1,234,567.12", + "the quick brown fox jumped over the lazy dog", ) with self.settings(USE_THOUSAND_SEPARATOR=False): with translation.override("en"): diff --git a/tests/requirements/py3.txt b/tests/requirements/py3.txt index 5c937218683b..7eebc20e05ce 100644 --- a/tests/requirements/py3.txt +++ b/tests/requirements/py3.txt @@ -3,7 +3,7 @@ asgiref >= 3.6.0 argon2-cffi >= 19.2.0 backports.zoneinfo; python_version < '3.9' bcrypt -black +black == 23.12.1 docutils geoip2; python_version < '3.12' jinja2 >= 2.11.0 diff --git a/tox.ini b/tox.ini index 28355ed01dea..b5c3fedd557d 100644 --- a/tox.ini +++ b/tox.ini @@ -36,7 +36,7 @@ commands = [testenv:black] basepython = python3 usedevelop = false -deps = black +deps = black == 23.12.1 changedir = {toxinidir} commands = black --check --diff .