logo
DATABASE RESOURCES PRICING ABOUT US

Potential DoS with NumberFilter conversion to integer values.

Description

### Impact Automatically generated `NumberFilter` instances, whose value was later converted to an integer, were subject to potential DoS from maliciously input using exponential format with sufficiently large exponents. ### Patches Version 2.4.0+ applies a `MaxValueValidator` with a a default `limit_value` of 1e50 to the form field used by `NumberFilter` instances. In addition, `NumberFilter` implements the new `get_max_validator()` which should return a configured validator instance to customise the limit, or else `None` to disable the additional validation. ### Workarounds Users may manually apply an equivalent validator if they are not able to upgrade. ### For more information If you have any questions or comments about this advisory: * Open an issue in [the django-filter repo](https://github.com/carltongibson/django-filter) Thanks to Marcin Waraksa for the report.


Affected Software


CPE Name Name Version
django-filter 0.1.0
django-filter 0.10.0
django-filter 0.11.0
django-filter 0.12.0
django-filter 0.13.0
django-filter 0.14.0
django-filter 0.15.0
django-filter 0.15.1
django-filter 0.15.2
django-filter 0.15.3
django-filter 0.2.0
django-filter 0.5.0
django-filter 0.5.1
django-filter 0.5.2
django-filter 0.5.3
django-filter 0.5.4
django-filter 0.6
django-filter 0.6a1
django-filter 0.7
django-filter 0.8
django-filter 0.9.0
django-filter 0.9.1
django-filter 0.9.2
django-filter 1.0.0
django-filter 1.0.1
django-filter 1.0.2
django-filter 1.0.3
django-filter 1.0.4
django-filter 1.1.0
django-filter 2.0.0
django-filter 2.0.0.dev1
django-filter 2.1.0
django-filter 2.2.0
django-filter 2.3.0

Related