CVE-2020-15225

django-filter is a generic system for filtering Django QuerySets based on user selections. In django-filter before version 2.4.0, automatically generated `NumberFilter` instances, whose value was later converted to an integer, were subject to potential DoS from maliciously input using exponential format with sufficiently large exponents. Version 2.4.0+ applies a `MaxValueValidator` with a a default `limit_value` of 1e50 to the form field used by `NumberFilter` instances. In addition, `NumberFilter` implements the new `get_max_validator()` which should return a configured validator instance to customise the limit, or else `None` to disable the additional validation. Users may manually apply an equivalent validator if they are not able to upgrade.

django-filter is a generic system for filtering Django QuerySets based on user selections. In django-filter before version 2.4.0, automatically generated `NumberFilter` instances, whose value was later converted to an integer, were subject to potential DoS from maliciously input using exponential format with sufficiently large exponents. Version 2.4.0+ applies a `MaxValueValidator` with a a default `limit_value` of 1e50 to the form field used by `NumberFilter` instances. In addition, `NumberFilter` implements the new `get_max_validator()` which should return a configured validator instance to customise the limit, or else `None` to disable the additional validation. Users may manually apply an equivalent validator if they are not able to upgrade.

django-filter is a generic system for filtering Django QuerySets based on user selections. In django-filter before version 2.4.0, automatically generated `NumberFilter` instances, whose value was later converted to an integer, were subject to potential DoS from maliciously input using exponential format with sufficiently large exponents. Version 2.4.0+ applies a `MaxValueValidator` with a a default `limit_value` of 1e50 to the form field used by `NumberFilter` instances. In addition, `NumberFilter` implements the new `get_max_validator()` which should return a configured validator instance to customise the limit, or else `None` to disable the additional validation. Users may manually apply an equivalent validator if they are not able to upgrade.

### Impact Automatically generated `NumberFilter` instances, whose value was later converted to an integer, were subject to potential DoS from maliciously input using exponential format with sufficiently large exponents. ### Patches Version 2.4.0+ applies a `MaxValueValidator` with a a default `limit_value` of 1e50 to the form field used by `NumberFilter` instances. In addition, `NumberFilter` implements the new `get_max_validator()` which should return a configured validator instance to customise the limit, or else `None` to disable the additional validation. ### Workarounds Users may manually apply an equivalent validator if they are not able to upgrade. ### For more information If you have any questions or comments about this advisory: * Open an issue in [the django-filter repo](https://github.com/carltongibson/django-filter) Thanks to Marcin Waraksa for the report.

django-filter es un sistema genérico para filtrar Django QuerySets en función de las selecciones del usuario. En django-filter anterior a la versión 2.4.0, las instancias de "NumberFilter" generadas automáticamente, cuyo valor se convirtió más tarde en un entero, estaban sujetas a posibles DoS de la entradas maliciosas usando un formato exponencial con exponentes suficientemente grandes. La versión 2.4.0+ aplica un "MaxValueValidator" con un "limit_value" predeterminado de 1e50 al campo de formulario usado por unas instancias de "NumberFilter". Además, "NumberFilter" implementa el nuevo "get_max_validator()" que debería devolver una instancia de validación configurada para personalizar el límite, o bien "None" para deshabilitar una comprobación adicional. Los usuarios pueden aplicar manualmente un validador equivalente si no pueden actualizar.