python3-django: fix regression from CVE-2024-24680 patch

This change is for python3-django_2.2.28. The patch that mitigated CVE-2024-246680 accidentally also brought a regression, some numbers were converted to (human-friendly) string incorrectly. This backported patch mitigates this problem. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
2026-05-18 22:56:15 +00:00 · 2026-01-14 08:34:38 +01:00 · 2026-01-14 08:34:38 +01:00 · 4638d0ee22
commit 4638d0ee22
parent 75a627cd00
2 changed files with 31 additions and 0 deletions
--- a/meta-python/recipes-devtools/python/python3-django/0001-Fixed-35172-Fixed-intcomma-for-string-floats.patch
+++ b/meta-python/recipes-devtools/python/python3-django/0001-Fixed-35172-Fixed-intcomma-for-string-floats.patch
@ -0,0 +1,30 @@
+From 820af24fcaae817ab7c0733035673afc3b37eeac Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Thu, 8 Feb 2024 10:58:54 +0100
+Subject: [PATCH] Fixed #35172 -- Fixed intcomma for string floats.
+
+From: Mariusz Felisiak <felisiak.mariusz@gmail.com>
+
+Thanks Warwick Brown for the report.
+
+Regression in 55519d6cf8998fe4c8f5c8abffc2b10a7c3d14e9.
+
+Upstream-Status: Backport [https://github.com/django/django/commit/2f14c2cedc9c92373471c1f98a80c81ba299584a]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ django/contrib/humanize/templatetags/humanize.py | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/django/contrib/humanize/templatetags/humanize.py b/django/contrib/humanize/templatetags/humanize.py
+index ee22a45..8490b5e 100644
+--- a/django/contrib/humanize/templatetags/humanize.py
+++ b/django/contrib/humanize/templatetags/humanize.py
+@@ -77,6 +77,8 @@ def intcomma(value, use_l10n=True):
+     if match:
+         prefix = match[0]
+         prefix_with_commas = re.sub(r"\d{3}", r"\g<0>,", prefix[::-1])[::-1]
+        # Remove a leading comma, if needed.
+        prefix_with_commas = re.sub(r"^(-?),", r"\1", prefix_with_commas)
+         result = prefix_with_commas + result[len(prefix) :]
+     return result
+ 
--- a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
+++ b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
@ -34,6 +34,7 @@ SRC_URI += "file://CVE-2023-31047.patch \
            file://CVE-2025-64459.patch \
            file://Fix-undefined-_lazy_re_compile.patch \
            file://Fix-missing-JSONField-in-django.db.mo.patch \
+            file://0001-Fixed-35172-Fixed-intcomma-for-string-floats.patch \
           "

 SRC_URI[sha256sum] = "0200b657afbf1bc08003845ddda053c7641b9b24951e52acd51f6abda33a7413"