diff options
| author | Jake Howard <git@theorangeone.net> | 2025-06-04 16:08:46 +0100 |
|---|---|---|
| committer | Natalia <124304+nessita@users.noreply.github.com> | 2025-06-06 09:07:12 -0300 |
| commit | 8fcc83953c350e158a484bf1da0aa1b79b69bb07 (patch) | |
| tree | 75049c5eb7c7b654a29db41a4a1d09d1fd650874 /django | |
| parent | 9d7fc9eb1c79242f3330aa62629699a8b5fc5451 (diff) | |
[5.2.x] Refs CVE-2025-48432 -- Prevented log injection in remaining response logging.
Migrated remaining response-related logging to use the `log_response()`
helper to avoid potential log injection, to ensure untrusted values like
request paths are safely escaped.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Backport of 957951755259b412d5113333b32bf85871d29814 from main.
Diffstat (limited to 'django')
| -rw-r--r-- | django/views/generic/base.py | 15 |
1 files changed, 8 insertions, 7 deletions
diff --git a/django/views/generic/base.py b/django/views/generic/base.py index 8f8f9397e8..8412288be1 100644 --- a/django/views/generic/base.py +++ b/django/views/generic/base.py @@ -14,6 +14,7 @@ from django.template.response import TemplateResponse from django.urls import reverse from django.utils.decorators import classonlymethod from django.utils.functional import classproperty +from django.utils.log import log_response logger = logging.getLogger("django.request") @@ -143,13 +144,14 @@ class View: return handler(request, *args, **kwargs) def http_method_not_allowed(self, request, *args, **kwargs): - logger.warning( + response = HttpResponseNotAllowed(self._allowed_methods()) + log_response( "Method Not Allowed (%s): %s", request.method, request.path, - extra={"status_code": 405, "request": request}, + response=response, + request=request, ) - response = HttpResponseNotAllowed(self._allowed_methods()) if self.view_is_async: @@ -261,10 +263,9 @@ class RedirectView(View): else: return HttpResponseRedirect(url) else: - logger.warning( - "Gone: %s", request.path, extra={"status_code": 410, "request": request} - ) - return HttpResponseGone() + response = HttpResponseGone() + log_response("Gone: %s", request.path, response=response, request=request) + return response def head(self, request, *args, **kwargs): return self.get(request, *args, **kwargs) |