[4.2.x] Fixed CVE-2025-48432 -- Escaped formatting arguments in `log_response()`.

Suitably crafted requests containing a CRLF sequence in the request path may have allowed log injection, potentially corrupting log files, obscuring other attacks, misleading log post-processing tools, or forging log entries. To mitigate this, all positional formatting arguments passed to the logger are now escaped using "unicode_escape" encoding. Thanks to Seokchan Yoon (https://ch4n3.kr/) for the report. Co-authored-by: Carlton Gibson <carlton@noumenal.es> Co-authored-by: Jake Howard <git@theorangeone.net> Backport of a07ebec5591e233d8bbb38b7d63f35c5479eef0e from main.
author: Natalia <124304+nessita@users.noreply.github.com> 2025-05-20 15:29:52 -0300
committer: Natalia <124304+nessita@users.noreply.github.com> 2025-06-04 08:50:05 -0300
commit: ac03c5e7df8680c61cdb0d3bdb8be9095dba841e (patch)
tree: d12382328018db57b44d1727f71b11c6cf45dcc1 /django
parent: c62f4eeda774b10541154b9e980f5b981030c4a0 (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/django/utils/log.py b/django/utils/log.py
index fd0cc1bdc1..d7465f73d7 100644
--- a/django/utils/log.py
+++ b/django/utils/log.py
@@ -238,9 +238,14 @@ def log_response(
         else:
             level = "info"
 
+    escaped_args = tuple(
+        a.encode("unicode_escape").decode("ascii") if isinstance(a, str) else a
+        for a in args
+    )
+
     getattr(logger, level)(
         message,
-        *args,
+        *escaped_args,
         extra={
             "status_code": response.status_code,
             "request": request,
author	Natalia <124304+nessita@users.noreply.github.com>	2025-05-20 15:29:52 -0300
committer	Natalia <124304+nessita@users.noreply.github.com>	2025-06-04 08:50:05 -0300
commit	ac03c5e7df8680c61cdb0d3bdb8be9095dba841e (patch)
tree	d12382328018db57b44d1727f71b11c6cf45dcc1 /django
parent	c62f4eeda774b10541154b9e980f5b981030c4a0 (diff)