django

mirrors/django

Fork 0

mirror of https://github.com/django/django.git synced 2025-06-22 11:59:17 +00:00

Commit Graph

Author SHA1 Message Date

Author	SHA1	Message	Date
Natalia	a07ebec559	Fixed CVE-2025-48432 -- Escaped formatting arguments in `log_response()`. Suitably crafted requests containing a CRLF sequence in the request path may have allowed log injection, potentially corrupting log files, obscuring other attacks, misleading log post-processing tools, or forging log entries. To mitigate this, all positional formatting arguments passed to the logger are now escaped using "unicode_escape" encoding. Thanks to Seokchan Yoon (https://ch4n3.kr/) for the report. Co-authored-by: Carlton Gibson <carlton@noumenal.es> Co-authored-by: Jake Howard <git@theorangeone.net>	2025-06-04 08:33:30 -03:00
Natalia	1a74434399	Added stub release notes and release date for 5.2.2, 5.1.10, and 4.2.22.	2025-05-28 10:03:06 -03:00

Natalia

a07ebec559

Fixed CVE-2025-48432 -- Escaped formatting arguments in log_response().

Suitably crafted requests containing a CRLF sequence in the request
path may have allowed log injection, potentially corrupting log files,
obscuring other attacks, misleading log post-processing tools, or
forging log entries.

To mitigate this, all positional formatting arguments passed to the
logger are now escaped using "unicode_escape" encoding.

Thanks to Seokchan Yoon (https://ch4n3.kr/) for the report.

Co-authored-by: Carlton Gibson <carlton@noumenal.es>
Co-authored-by: Jake Howard <git@theorangeone.net>

2025-06-04 08:33:30 -03:00

Natalia

1a74434399

Added stub release notes and release date for 5.2.2, 5.1.10, and 4.2.22.

2025-05-28 10:03:06 -03:00

2 Commits