From 4198a5cb2d3516130c26cff7e4a58754ebf0a47e Mon Sep 17 00:00:00 2001 From: Mariusz Felisiak Date: Tue, 2 Jan 2024 10:11:39 +0100 Subject: [PATCH 1/6] [4.2.x] Post-release version bump. --- django/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/django/__init__.py b/django/__init__.py index 949c6bb0e7ea..b2f67a6ac8d7 100644 --- a/django/__init__.py +++ b/django/__init__.py @@ -1,6 +1,6 @@ from django.utils.version import get_version -VERSION = (4, 2, 9, "final", 0) +VERSION = (4, 2, 10, "alpha", 0) __version__ = get_version(VERSION) From 74582b8d119a8c7d688538442b4149112b626057 Mon Sep 17 00:00:00 2001 From: Natalia <124304+nessita@users.noreply.github.com> Date: Mon, 29 Jan 2024 11:41:53 -0300 Subject: [PATCH 2/6] [4.2.x] Added stub release notes for 4.2.10 and 3.2.24. Backport of 06d0a1bd56a9899c351ca047a05813e8dd6a4e17 from main --- docs/releases/3.2.24.txt | 9 +++++++++ docs/releases/4.2.10.txt | 9 +++++++++ docs/releases/index.txt | 2 ++ 3 files changed, 20 insertions(+) create mode 100644 docs/releases/3.2.24.txt create mode 100644 docs/releases/4.2.10.txt diff --git a/docs/releases/3.2.24.txt b/docs/releases/3.2.24.txt new file mode 100644 index 000000000000..1ab7024f73c7 --- /dev/null +++ b/docs/releases/3.2.24.txt @@ -0,0 +1,9 @@ +=========================== +Django 3.2.24 release notes +=========================== + +*February 6, 2024* + +Django 3.2.24 fixes a security issue with severity "moderate" in 3.2.23. + +... diff --git a/docs/releases/4.2.10.txt b/docs/releases/4.2.10.txt new file mode 100644 index 000000000000..c039f6840f7e --- /dev/null +++ b/docs/releases/4.2.10.txt @@ -0,0 +1,9 @@ +=========================== +Django 4.2.10 release notes +=========================== + +*February 6, 2024* + +Django 4.2.10 fixes a security issue with severity "moderate" in 4.2.9. + +... diff --git a/docs/releases/index.txt b/docs/releases/index.txt index abc7988f46a5..01883a44b515 100644 --- a/docs/releases/index.txt +++ b/docs/releases/index.txt @@ -26,6 +26,7 @@ versions of the documentation contain the release notes for any later releases. .. toctree:: :maxdepth: 1 + 4.2.10 4.2.9 4.2.8 4.2.7 @@ -79,6 +80,7 @@ versions of the documentation contain the release notes for any later releases. .. toctree:: :maxdepth: 1 + 3.2.24 3.2.23 3.2.22 3.2.21 From 71dd587da9b45f5b4cd4aa93f99a9b14d444801d Mon Sep 17 00:00:00 2001 From: nessita <124304+nessita@users.noreply.github.com> Date: Mon, 29 Jan 2024 12:53:06 -0300 Subject: [PATCH 3/6] [4.2.x] Pinned black == 23.12.1 in GitHub actions, pre-commit and test requirements. --- .github/workflows/linters.yml | 2 +- .pre-commit-config.yaml | 4 ++-- tests/requirements/py3.txt | 2 +- tox.ini | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/linters.yml b/.github/workflows/linters.yml index 28526264a919..8f95264b9e70 100644 --- a/.github/workflows/linters.yml +++ b/.github/workflows/linters.yml @@ -59,4 +59,4 @@ jobs: - name: Checkout uses: actions/checkout@v4 - name: black - uses: psf/black@stable + uses: psf/black@23.12.1 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 14facba6d044..0e65e53e3f1c 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: https://github.com/psf/black - rev: 23.3.0 + rev: 23.12.1 hooks: - id: black exclude: \.py-tpl$ @@ -9,7 +9,7 @@ repos: hooks: - id: blacken-docs additional_dependencies: - - black==23.3.0 + - black==23.12.1 - repo: https://github.com/PyCQA/isort rev: 5.12.0 hooks: diff --git a/tests/requirements/py3.txt b/tests/requirements/py3.txt index 5c937218683b..7eebc20e05ce 100644 --- a/tests/requirements/py3.txt +++ b/tests/requirements/py3.txt @@ -3,7 +3,7 @@ asgiref >= 3.6.0 argon2-cffi >= 19.2.0 backports.zoneinfo; python_version < '3.9' bcrypt -black +black == 23.12.1 docutils geoip2; python_version < '3.12' jinja2 >= 2.11.0 diff --git a/tox.ini b/tox.ini index 28355ed01dea..b5c3fedd557d 100644 --- a/tox.ini +++ b/tox.ini @@ -36,7 +36,7 @@ commands = [testenv:black] basepython = python3 usedevelop = false -deps = black +deps = black == 23.12.1 changedir = {toxinidir} commands = black --check --diff . From 9fe7411235b7fb133eed5093fee714c4c7db4c98 Mon Sep 17 00:00:00 2001 From: nessita <124304+nessita@users.noreply.github.com> Date: Tue, 30 Jan 2024 01:47:27 -0300 Subject: [PATCH 4/6] [4.2.x] Pinned black == 23.12.1 for blacken-docs checks. --- .github/workflows/docs.yml | 2 +- docs/requirements.txt | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index c7ec6da8e2cd..4206c58e3515 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -49,7 +49,7 @@ jobs: uses: actions/setup-python@v4 with: python-version: '3.11' - - run: python -m pip install blacken-docs + - run: python -m pip install "black==23.12.1" blacken-docs - name: Build docs run: | cd docs diff --git a/docs/requirements.txt b/docs/requirements.txt index e234972a3bd1..7708cbe58810 100644 --- a/docs/requirements.txt +++ b/docs/requirements.txt @@ -1,4 +1,5 @@ pyenchant Sphinx>=4.5.0 sphinxcontrib-spelling +black==23.12.1 blacken-docs From 572ea07e84b38ea8de0551f4b4eda685d91d09d2 Mon Sep 17 00:00:00 2001 From: Adam Johnson Date: Mon, 22 Jan 2024 13:21:13 +0000 Subject: [PATCH 5/6] [4.2.x] Fixed CVE-2024-24680 -- Mitigated potential DoS in intcomma template filter. Thanks Seokchan Yoon for the report. Co-authored-by: Mariusz Felisiak Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Co-authored-by: Shai Berger --- .../contrib/humanize/templatetags/humanize.py | 13 ++-- docs/releases/3.2.24.txt | 6 +- docs/releases/4.2.10.txt | 6 +- tests/humanize_tests/tests.py | 64 +++++++++++++++++++ 4 files changed, 81 insertions(+), 8 deletions(-) diff --git a/django/contrib/humanize/templatetags/humanize.py b/django/contrib/humanize/templatetags/humanize.py index 23224779c558..2c26f8944a78 100644 --- a/django/contrib/humanize/templatetags/humanize.py +++ b/django/contrib/humanize/templatetags/humanize.py @@ -75,12 +75,13 @@ def intcomma(value, use_l10n=True): return intcomma(value, False) else: return number_format(value, use_l10n=True, force_grouping=True) - orig = str(value) - new = re.sub(r"^(-?\d+)(\d{3})", r"\g<1>,\g<2>", orig) - if orig == new: - return new - else: - return intcomma(new, use_l10n) + result = str(value) + match = re.match(r"-?\d+", result) + if match: + prefix = match[0] + prefix_with_commas = re.sub(r"\d{3}", r"\g<0>,", prefix[::-1])[::-1] + result = prefix_with_commas + result[len(prefix) :] + return result # A tuple of standard large number to their converters diff --git a/docs/releases/3.2.24.txt b/docs/releases/3.2.24.txt index 1ab7024f73c7..67be0f65d189 100644 --- a/docs/releases/3.2.24.txt +++ b/docs/releases/3.2.24.txt @@ -6,4 +6,8 @@ Django 3.2.24 release notes Django 3.2.24 fixes a security issue with severity "moderate" in 3.2.23. -... +CVE-2024-24680: Potential denial-of-service in ``intcomma`` template filter +=========================================================================== + +The ``intcomma`` template filter was subject to a potential denial-of-service +attack when used with very long strings. diff --git a/docs/releases/4.2.10.txt b/docs/releases/4.2.10.txt index c039f6840f7e..7cdfa698144f 100644 --- a/docs/releases/4.2.10.txt +++ b/docs/releases/4.2.10.txt @@ -6,4 +6,8 @@ Django 4.2.10 release notes Django 4.2.10 fixes a security issue with severity "moderate" in 4.2.9. -... +CVE-2024-24680: Potential denial-of-service in ``intcomma`` template filter +=========================================================================== + +The ``intcomma`` template filter was subject to a potential denial-of-service +attack when used with very long strings. diff --git a/tests/humanize_tests/tests.py b/tests/humanize_tests/tests.py index cf29f5823293..a78bbadafd89 100644 --- a/tests/humanize_tests/tests.py +++ b/tests/humanize_tests/tests.py @@ -116,39 +116,71 @@ def test_i18n_html_ordinal(self): def test_intcomma(self): test_list = ( 100, + -100, 1000, + -1000, 10123, + -10123, 10311, + -10311, 1000000, + -1000000, 1234567.25, + -1234567.25, "100", + "-100", "1000", + "-1000", "10123", + "-10123", "10311", + "-10311", "1000000", + "-1000000", "1234567.1234567", + "-1234567.1234567", Decimal("1234567.1234567"), + Decimal("-1234567.1234567"), None, "1234567", + "-1234567", "1234567.12", + "-1234567.12", + "the quick brown fox jumped over the lazy dog", ) result_list = ( "100", + "-100", "1,000", + "-1,000", "10,123", + "-10,123", "10,311", + "-10,311", "1,000,000", + "-1,000,000", "1,234,567.25", + "-1,234,567.25", "100", + "-100", "1,000", + "-1,000", "10,123", + "-10,123", "10,311", + "-10,311", "1,000,000", + "-1,000,000", "1,234,567.1234567", + "-1,234,567.1234567", "1,234,567.1234567", + "-1,234,567.1234567", None, "1,234,567", + "-1,234,567", "1,234,567.12", + "-1,234,567.12", + "the quick brown fox jumped over the lazy dog", ) with translation.override("en"): self.humanize_tester(test_list, result_list, "intcomma") @@ -156,39 +188,71 @@ def test_intcomma(self): def test_l10n_intcomma(self): test_list = ( 100, + -100, 1000, + -1000, 10123, + -10123, 10311, + -10311, 1000000, + -1000000, 1234567.25, + -1234567.25, "100", + "-100", "1000", + "-1000", "10123", + "-10123", "10311", + "-10311", "1000000", + "-1000000", "1234567.1234567", + "-1234567.1234567", Decimal("1234567.1234567"), + -Decimal("1234567.1234567"), None, "1234567", + "-1234567", "1234567.12", + "-1234567.12", + "the quick brown fox jumped over the lazy dog", ) result_list = ( "100", + "-100", "1,000", + "-1,000", "10,123", + "-10,123", "10,311", + "-10,311", "1,000,000", + "-1,000,000", "1,234,567.25", + "-1,234,567.25", "100", + "-100", "1,000", + "-1,000", "10,123", + "-10,123", "10,311", + "-10,311", "1,000,000", + "-1,000,000", "1,234,567.1234567", + "-1,234,567.1234567", "1,234,567.1234567", + "-1,234,567.1234567", None, "1,234,567", + "-1,234,567", "1,234,567.12", + "-1,234,567.12", + "the quick brown fox jumped over the lazy dog", ) with self.settings(USE_THOUSAND_SEPARATOR=False): with translation.override("en"): From a684d73fc9ad94bbc535385d8b1d7c05ea06702f Mon Sep 17 00:00:00 2001 From: Natalia <124304+nessita@users.noreply.github.com> Date: Tue, 6 Feb 2024 09:57:24 -0300 Subject: [PATCH 6/6] [4.2.x] Bumped version for 4.2.10 release. --- django/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/django/__init__.py b/django/__init__.py index b2f67a6ac8d7..dc83a622dde7 100644 --- a/django/__init__.py +++ b/django/__init__.py @@ -1,6 +1,6 @@ from django.utils.version import get_version -VERSION = (4, 2, 10, "alpha", 0) +VERSION = (4, 2, 10, "final", 0) __version__ = get_version(VERSION)