mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-06-14 07:59:12 +00:00
Code Issues 32 Releases Wiki Activity

[4.2.x] Refs CVE-2025-48432 -- Made SuspiciousOperation logging use log_response() for consistency.

Browse Source 
Backport of ff835f439cb1ecd8d74a24de12e3c03e5477dc9d from main.
This commit is contained in:
Natalia 2025-06-05 10:07:17 -03:00
parent ba24ee34f9
commit 10ba3f78da
2 changed files with 20 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
django/core/handlers/exception.py
View File

@ -116,16 +116,6 @@ def response_for_exception(request, exc):
# exception would be raised. # exception would be raised.
request._mark_post_parse_error() request._mark_post_parse_error()
# The request logger receives events for any problematic request
# The security logger receives events for all SuspiciousOperations
security_logger = logging.getLogger(
"django.security.%s" % exc.__class__.__name__
)
security_logger.error(
str(exc),
exc_info=exc,
extra={"status_code": 400, "request": request},
)
if settings.DEBUG: if settings.DEBUG:
response = debug.technical_500_response( response = debug.technical_500_response(
request, *sys.exc_info(), status_code=400 request, *sys.exc_info(), status_code=400
@ -134,6 +124,17 @@ def response_for_exception(request, exc):
response = get_exception_response( response = get_exception_response(
request, get_resolver(get_urlconf()), 400, exc request, get_resolver(get_urlconf()), 400, exc
) )
# The logger is set to django.security, which specifically captures
# SuspiciousOperation events, unlike the default django.request logger.
security_logger = logging.getLogger(f"django.security.{exc.__class__.__name__}")
log_response(
str(exc),
exception=exc,
request=request,
response=response,
level="error",
logger=security_logger,
)
else: else:
signals.got_request_exception.send(sender=None, request=request) signals.got_request_exception.send(sender=None, request=request)

9
tests/logging_tests/tests.py
View File

@ -597,6 +597,15 @@ class SecurityLoggerTest(LoggingAssertionMixin, SimpleTestCase):
self.assertEqual(len(mail.outbox), 1) self.assertEqual(len(mail.outbox), 1)
self.assertIn("SuspiciousOperation at /suspicious/", mail.outbox[0].body) self.assertIn("SuspiciousOperation at /suspicious/", mail.outbox[0].body)
def test_response_logged(self):
with self.assertLogs("django.security.SuspiciousOperation", "ERROR") as handler:
response = self.client.get("/suspicious/")
self.assertLogRecord(
handler, "dubious", logging.ERROR, 400, request=response.wsgi_request
)
self.assertEqual(response.status_code, 400)
class SettingsCustomLoggingTest(AdminScriptTestCase): class SettingsCustomLoggingTest(AdminScriptTestCase):
""" """