Refs CVE-2025-48432 -- Made SuspiciousOperation logging use log_response() for consistency.

2025-10-31 09:41:08 +00:00 · 2025-06-05 10:07:17 -03:00
parent 9d72e7daf7
commit ff835f439c
2 changed files with 20 additions and 10 deletions
--- a/django/core/handlers/exception.py
+++ b/django/core/handlers/exception.py
@@ -116,16 +116,6 @@ def response_for_exception(request, exc):
            # exception would be raised.
            request._mark_post_parse_error()

-        # The request logger receives events for any problematic request
-        # The security logger receives events for all SuspiciousOperations
-        security_logger = logging.getLogger(
-            "django.security.%s" % exc.__class__.__name__
-        )
-        security_logger.error(
-            str(exc),
-            exc_info=exc,
-            extra={"status_code": 400, "request": request},
-        )
        if settings.DEBUG:
            response = debug.technical_500_response(
                request, *sys.exc_info(), status_code=400
@@ -134,6 +124,17 @@ def response_for_exception(request, exc):
            response = get_exception_response(
                request, get_resolver(get_urlconf()), 400, exc
            )
+        # The logger is set to django.security, which specifically captures
+        # SuspiciousOperation events, unlike the default django.request logger.
+        security_logger = logging.getLogger(f"django.security.{exc.__class__.__name__}")
+        log_response(
+            str(exc),
+            exception=exc,
+            request=request,
+            response=response,
+            level="error",
+            logger=security_logger,
+        )

    else:
        signals.got_request_exception.send(sender=None, request=request)
--- a/tests/logging_tests/tests.py
+++ b/tests/logging_tests/tests.py
@@ -618,6 +618,15 @@ class SecurityLoggerTest(LoggingAssertionMixin, SimpleTestCase):
        self.assertEqual(len(mail.outbox), 1)
        self.assertIn("SuspiciousOperation at /suspicious/", mail.outbox[0].body)

+    def test_response_logged(self):
+        with self.assertLogs("django.security.SuspiciousOperation", "ERROR") as handler:
+            response = self.client.get("/suspicious/")
+
+        self.assertLogRecord(
+            handler, "dubious", logging.ERROR, 400, request=response.wsgi_request
+        )
+        self.assertEqual(response.status_code, 400)
+

 class SettingsCustomLoggingTest(AdminScriptTestCase):
    """