Fixed CVE-2025-48432 -- Escaped formatting arguments in log_response().

Suitably crafted requests containing a CRLF sequence in the request path may have allowed log injection, potentially corrupting log files, obscuring other attacks, misleading log post-processing tools, or forging log entries. To mitigate this, all positional formatting arguments passed to the logger are now escaped using "unicode_escape" encoding. Thanks to Seokchan Yoon (https://ch4n3.kr/) for the report. Co-authored-by: Carlton Gibson <carlton@noumenal.es> Co-authored-by: Jake Howard <git@theorangeone.net>
2025-10-27 15:46:10 +00:00 · 2025-05-20 15:29:52 -03:00
parent 08187c94ed
commit a07ebec559
5 changed files with 128 additions and 1 deletions
--- a/django/utils/log.py
+++ b/django/utils/log.py
@@ -245,9 +245,14 @@ def log_response(
        else:
            level = "info"

+    escaped_args = tuple(
+        a.encode("unicode_escape").decode("ascii") if isinstance(a, str) else a
+        for a in args
+    )
+
    getattr(logger, level)(
        message,
-        *args,
+        *escaped_args,
        extra={
            "status_code": response.status_code,
            "request": request,