Refs CVE-2025-48432 -- Prevented log injection in remaining response logging.

Migrated remaining response-related logging to use the `log_response()` helper to avoid potential log injection, to ensure untrusted values like request paths are safely escaped. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2025-10-27 15:46:10 +00:00 · 2025-06-04 16:08:46 +01:00
parent ff835f439c
commit 9579517552
6 changed files with 80 additions and 11 deletions
--- a/django/views/generic/base.py
+++ b/django/views/generic/base.py
@@ -14,6 +14,7 @@ from django.template.response import TemplateResponse
 from django.urls import reverse
 from django.utils.decorators import classonlymethod
 from django.utils.functional import classproperty
+from django.utils.log import log_response

 logger = logging.getLogger("django.request")

@@ -143,13 +144,14 @@ class View:
        return handler(request, *args, **kwargs)

    def http_method_not_allowed(self, request, *args, **kwargs):
-        logger.warning(
+        response = HttpResponseNotAllowed(self._allowed_methods())
+        log_response(
            "Method Not Allowed (%s): %s",
            request.method,
            request.path,
-            extra={"status_code": 405, "request": request},
+            response=response,
+            request=request,
        )
-        response = HttpResponseNotAllowed(self._allowed_methods())

        if self.view_is_async:

@@ -261,10 +263,9 @@ class RedirectView(View):
            else:
                return HttpResponseRedirect(url)
        else:
-            logger.warning(
-                "Gone: %s", request.path, extra={"status_code": 410, "request": request}
-            )
-            return HttpResponseGone()
+            response = HttpResponseGone()
+            log_response("Gone: %s", request.path, response=response, request=request)
+            return response

    def head(self, request, *args, **kwargs):
        return self.get(request, *args, **kwargs)