Suitably crafted requests containing a CRLF sequence in the request
path may have allowed log injection, potentially corrupting log files,
obscuring other attacks, misleading log post-processing tools, or
forging log entries.
To mitigate this, all positional formatting arguments passed to the
logger are now escaped using "unicode_escape" encoding.
Thanks to Seokchan Yoon (https://ch4n3.kr/) for the report.
Co-authored-by: Carlton Gibson <carlton@noumenal.es>
Co-authored-by: Jake Howard <git@theorangeone.net>
Previously, the ADMINS and MANAGERS settings were lists of (name, address)
tuples (where the name had been unused). Deprecated use of tuples.
Updated settings value sanity checks, and changed from ValueError to
ImproperlyConfigured.
The SetupConfigureLogging test case does not restore the logging config
after its execution. It leaves the logger django.request with an empty
handlers array.
This also removes the last use of LOGGING_CONFIG, introduced in
43503b093a35ca4707c16d865f10929960bfa0b8.
* assertIsNone()/assertIsNotNone() instead of comparing to None.
* assertLess() for < comparisons.
* assertIs() for 'is' expressions.
* assertIsInstance() for isinstance() expressions.
* rounding of assertAlmostEqual() for round() expressions.
* assertIs(..., True/False) instead of comparing to True/False.
* assertIs()/assertIsNot() for ==/!= comparisons.
* assertNotEqual() for == comparisons.
* assertTrue()/assertFalse() instead of comparing to True/False.
Use tempfile.TemporaryDirectory() in AdminScriptTestCase.setUp()
to create and destroy a temporary directory for each test. It removes
the need for individual tests to delete files.
For test classes that don't use the temporary directory, inherit from
SimpleTestCase.
Allowed ServerFormatter to handle simple string messages or messages with
formatting arguments. The formatter will set the server_time variable on
the log record if it's required by the format string but wasn't passed in
extra parameters.
Refs #26572, #17281. The RFC doesn't limit total length, just the line length
which is already taken care of by Python itself.
Thanks Tim Graham for the review.
Without an explicit 'level', only messages at WARNING or higher
are handled. This makes the config consistent with the docs
which say, "The django catch-all logger sends all messages at
the INFO level or higher to the console."
