mirror of
https://github.com/django/django.git
synced 2025-10-31 09:41:08 +00:00
7456aa23da
Suitably crafted requests containing a CRLF sequence in the request
path may have allowed log injection, potentially corrupting log files,
obscuring other attacks, misleading log post-processing tools, or
forging log entries.
To mitigate this, all positional formatting arguments passed to the
logger are now escaped using "unicode_escape" encoding.
Thanks to Seokchan Yoon (https://ch4n3.kr/) for the report.
Co-authored-by: Carlton Gibson <carlton@noumenal.es>
Co-authored-by: Jake Howard <git@theorangeone.net>
Backport of a07ebec559 from main.
22 lines
922 B
Plaintext
22 lines
922 B
Plaintext
===========================
|
|
Django 5.1.10 release notes
|
|
===========================
|
|
|
|
*June 4, 2025*
|
|
|
|
Django 5.1.10 fixes a security issue with severity "low" in 5.1.9.
|
|
|
|
CVE-2025-48432: Potential log injection via unescaped request path
|
|
==================================================================
|
|
|
|
Internal HTTP response logging used ``request.path`` directly, allowing control
|
|
characters (e.g. newlines or ANSI escape sequences) to be written unescaped
|
|
into logs. This could enable log injection or forgery, letting attackers
|
|
manipulate log appearance or structure, especially in logs processed by
|
|
external systems or viewed in terminals.
|
|
|
|
Although this does not directly impact Django's security model, it poses risks
|
|
when logs are consumed or interpreted by other tools. To fix this, the internal
|
|
``django.utils.log.log_response()`` function now escapes all positional
|
|
formatting arguments using a safe encoding.
|