From f5b6ed78200b2cbff71ec771e6f014de5d4abbd8 Mon Sep 17 00:00:00 2001 From: YashRaj1506 Date: Thu, 26 Jun 2025 03:31:00 +0530 Subject: [6.0.x] Fixed #36470 -- Prevented log injection in runserver when handling NOT FOUND. Migrated `WSGIRequestHandler.log_message()` to use a more robust `log_message()` helper, which was based of `log_response()` via factoring out the common bits. Refs CVE-2025-48432. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 9bb83925d6c231e964f8b54efbc982fb1333da27 from main. --- tests/servers/test_basehttp.py | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'tests') diff --git a/tests/servers/test_basehttp.py b/tests/servers/test_basehttp.py index cc4701114a..9190fc8a20 100644 --- a/tests/servers/test_basehttp.py +++ b/tests/servers/test_basehttp.py @@ -50,6 +50,21 @@ class WSGIRequestHandlerTestCase(SimpleTestCase): cm.records[0].levelname, wrong_level.upper() ) + def test_log_message_escapes_control_sequences(self): + request = WSGIRequest(self.request_factory.get("/").environ) + request.makefile = lambda *args, **kwargs: BytesIO() + handler = WSGIRequestHandler(request, "192.168.0.2", None) + + malicious_path = "\x1b[31mALERT\x1b[0m" + + with self.assertLogs("django.server", "WARNING") as cm: + handler.log_message("GET %s %s", malicious_path, "404") + + log = cm.output[0] + + self.assertNotIn("\x1b[31m", log) + self.assertIn("\\x1b[31mALERT\\x1b[0m", log) + def test_https(self): request = WSGIRequest(self.request_factory.get("/").environ) request.makefile = lambda *args, **kwargs: BytesIO() -- cgit v1.3