mirror of
https://github.com/django/django.git
synced 2025-06-17 09:29:17 +00:00
a07ebec559
Suitably crafted requests containing a CRLF sequence in the request path may have allowed log injection, potentially corrupting log files, obscuring other attacks, misleading log post-processing tools, or forging log entries. To mitigate this, all positional formatting arguments passed to the logger are now escaped using "unicode_escape" encoding. Thanks to Seokchan Yoon (https://ch4n3.kr/) for the report. Co-authored-by: Carlton Gibson <carlton@noumenal.es> Co-authored-by: Jake Howard <git@theorangeone.net>
22 lines
923 B
Plaintext
22 lines
923 B
Plaintext
===========================
|
|
Django 4.2.22 release notes
|
|
===========================
|
|
|
|
*June 4, 2025*
|
|
|
|
Django 4.2.22 fixes a security issue with severity "low" in 4.2.21.
|
|
|
|
CVE-2025-48432: Potential log injection via unescaped request path
|
|
==================================================================
|
|
|
|
Internal HTTP response logging used ``request.path`` directly, allowing control
|
|
characters (e.g. newlines or ANSI escape sequences) to be written unescaped
|
|
into logs. This could enable log injection or forgery, letting attackers
|
|
manipulate log appearance or structure, especially in logs processed by
|
|
external systems or viewed in terminals.
|
|
|
|
Although this does not directly impact Django's security model, it poses risks
|
|
when logs are consumed or interpreted by other tools. To fix this, the internal
|
|
``django.utils.log.log_response()`` function now escapes all positional
|
|
formatting arguments using a safe encoding.
|