diff options
| author | YashRaj1506 <yashraj504300@gmail.com> | 2025-06-26 03:31:00 +0530 |
|---|---|---|
| committer | nessita <124304+nessita@users.noreply.github.com> | 2025-10-20 16:21:32 -0300 |
| commit | 9bb83925d6c231e964f8b54efbc982fb1333da27 (patch) | |
| tree | bbf430620cdb633c587414ef9a4910812aa148d7 /django/core | |
| parent | 5625bd590766e5ca8c2c76ba2307b98f7450ff83 (diff) | |
Fixed #36470 -- Prevented log injection in runserver when handling NOT FOUND.
Migrated `WSGIRequestHandler.log_message()` to use a more robust
`log_message()` helper, which was based of `log_response()` via factoring out
the common bits.
Refs CVE-2025-48432.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Diffstat (limited to 'django/core')
| -rw-r--r-- | django/core/servers/basehttp.py | 43 |
1 files changed, 18 insertions, 25 deletions
diff --git a/django/core/servers/basehttp.py b/django/core/servers/basehttp.py index 41719034fb..d62b88d286 100644 --- a/django/core/servers/basehttp.py +++ b/django/core/servers/basehttp.py @@ -18,6 +18,7 @@ from django.core.exceptions import ImproperlyConfigured from django.core.handlers.wsgi import LimitedStream from django.core.wsgi import get_wsgi_application from django.db import connections +from django.utils.log import log_message from django.utils.module_loading import import_string __all__ = ("WSGIServer", "WSGIRequestHandler") @@ -182,35 +183,27 @@ class WSGIRequestHandler(simple_server.WSGIRequestHandler): return self.client_address[0] def log_message(self, format, *args): - extra = { - "request": self.request, - "server_time": self.log_date_time_string(), - } - if args[1][0] == "4": + if args[1][0] == "4" and args[0].startswith("\x16\x03"): # 0x16 = Handshake, 0x03 = SSL 3.0 or TLS 1.x - if args[0].startswith("\x16\x03"): - extra["status_code"] = 500 - logger.error( - "You're accessing the development server over HTTPS, but " - "it only supports HTTP.", - extra=extra, - ) - return - - if args[1].isdigit() and len(args[1]) == 3: + format = ( + "You're accessing the development server over HTTPS, but it only " + "supports HTTP." + ) + status_code = 500 + args = () + elif args[1].isdigit() and len(args[1]) == 3: status_code = int(args[1]) - extra["status_code"] = status_code - - if status_code >= 500: - level = logger.error - elif status_code >= 400: - level = logger.warning - else: - level = logger.info else: - level = logger.info + status_code = None - level(format, *args, extra=extra) + log_message( + logger, + format, + *args, + request=self.request, + status_code=status_code, + server_time=self.log_date_time_string(), + ) def get_environ(self): # Strip all headers with underscores in the name before constructing |