Re: [Django] #36715: intcomma filter crashes on non-finite numbers

Fri, 07 Nov 2025 03:34:33 -0800 

#36715: intcomma filter crashes on non-finite numbers
-------------------------------------+-------------------------------------
     Reporter:  Tim Graham           |                    Owner:  Varun
                                     |  Kasyap Pentamaraju
         Type:  Bug                  |                   Status:  assigned
    Component:  contrib.humanize     |                  Version:  5.2
     Severity:  Normal               |               Resolution:
     Keywords:                       |             Triage Stage:  Accepted
    Has patch:  1                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  1                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Description changed by Tim Graham:

Old description:

> From Skrc Prst (skrcprst) on HackerOne:
>
> When looking at humanize filters I discovered intcomma filter does not
> robustly handle values that are not a finite number, like Inf, -Inf,
> Infinity, -Infinity, NaN or sNaN, and raises a TypeError that is not
> caught in the calling code.
>
> {{{#!python
> diff --git a/tests/humanize_tests/tests.py
> b/tests/humanize_tests/tests.py
> index ab967e2874..8b90245311 100644
> --- a/tests/humanize_tests/tests.py
> +++ b/tests/humanize_tests/tests.py
> @@ -153,6 +153,7 @@ class HumanizeTests(SimpleTestCase):
>              "-1234567.1234567",
>              Decimal("1234567.1234567"),
>              Decimal("-1234567.1234567"),
> +            Decimal("Infinity"),
>              None,
>              "1234567",
>              "-1234567",
> }}}
> Observe a crash:
> {{{
>             # Format values with more than 200 digits (an arbitrary
> cutoff) using
>             # scientific notation to avoid high memory usage in
> {:f}'.format().
>             _, digits, exponent = number.as_tuple()
> >           if abs(exponent) + len(digits) > 200:
>                ^^^^^^^^^^^^^
> E           TypeError: bad operand type for abs(): 'str'
> }}}
> The code could be fortified with something like:
> {{{#!python
> diff --git a/django/utils/numberformat.py b/django/utils/numberformat.py
> index cf8b2d219c..1f9ae840a5 100644
> --- a/django/utils/numberformat.py
> +++ b/django/utils/numberformat.py
> @@ -48,6 +48,10 @@ def format(
>              if abs(number) < cutoff:
>                  number = Decimal("0")
>
> +        if not number.is_finite():
> +            # like NaN or Infinity
> +            return str(number)
> +
>          # Format values with more than 200 digits (an arbitrary cutoff)
> using
>          # scientific notation to avoid high memory usage in
> {:f}'.format().
>          _, digits, exponent = number.as_tuple()
> }}}

New description:

 When looking at humanize filters, an anonymous reporter discovered that
 the intcomma filter does not robustly handle values that are not a finite
 number, like Inf, -Inf, Infinity, -Infinity, NaN or sNaN, and raises a
 TypeError that is not caught in the calling code.

 {{{#!python
 diff --git a/tests/humanize_tests/tests.py b/tests/humanize_tests/tests.py
 index ab967e2874..8b90245311 100644
 --- a/tests/humanize_tests/tests.py
 +++ b/tests/humanize_tests/tests.py
 @@ -153,6 +153,7 @@ class HumanizeTests(SimpleTestCase):
              "-1234567.1234567",
              Decimal("1234567.1234567"),
              Decimal("-1234567.1234567"),
 +            Decimal("Infinity"),
              None,
              "1234567",
              "-1234567",
 }}}
 Observe a crash:
 {{{
             # Format values with more than 200 digits (an arbitrary
 cutoff) using
             # scientific notation to avoid high memory usage in
 {:f}'.format().
             _, digits, exponent = number.as_tuple()
 >           if abs(exponent) + len(digits) > 200:
                ^^^^^^^^^^^^^
 E           TypeError: bad operand type for abs(): 'str'
 }}}
 The code could be fortified with something like:
 {{{#!python
 diff --git a/django/utils/numberformat.py b/django/utils/numberformat.py
 index cf8b2d219c..1f9ae840a5 100644
 --- a/django/utils/numberformat.py
 +++ b/django/utils/numberformat.py
 @@ -48,6 +48,10 @@ def format(
              if abs(number) < cutoff:
                  number = Decimal("0")

 +        if not number.is_finite():
 +            # like NaN or Infinity
 +            return str(number)
 +
          # Format values with more than 200 digits (an arbitrary cutoff)
 using
          # scientific notation to avoid high memory usage in
 {:f}'.format().
          _, digits, exponent = number.as_tuple()
 }}}

--
-- 
Ticket URL: <https://code.djangoproject.com/ticket/36715#comment:4>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion visit 
https://groups.google.com/d/msgid/django-updates/0107019a5e18a461-c5682584-0c32-4183-b222-e1ff00d4bc0e-000000%40eu-central-1.amazonses.com.

Reply via email to