File CVE-2025-48432-followup.patch of Package python-Django.18994
From b597d46bb19c8567615e62029210dab16c70db7d Mon Sep 17 00:00:00 2001
From: Jake Howard <git@theorangeone.net>
Date: Wed, 4 Jun 2025 16:08:46 +0100
Subject: [PATCH] [4.2.x] Refs CVE-2025-48432 -- Prevented log injection in
remaining response logging.
Migrated remaining response-related logging to use the `log_response()`
helper to avoid potential log injection, to ensure untrusted values like
request paths are safely escaped.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Backport of 957951755259b412d5113333b32bf85871d29814 from main.
---
django/views/generic/base.py | 15 ++++++------
docs/releases/4.2.23.txt | 14 +++++++++++
docs/releases/index.txt | 1 +
tests/generic_views/test_base.py | 40 ++++++++++++++++++++++++++++++--
4 files changed, 61 insertions(+), 9 deletions(-)
create mode 100644 docs/releases/4.2.23.txt
Index: Django-2.2.28/django/views/generic/base.py
===================================================================
--- Django-2.2.28.orig/django/views/generic/base.py
+++ Django-2.2.28/django/views/generic/base.py
@@ -9,6 +9,7 @@ from django.http import (
from django.template.response import TemplateResponse
from django.urls import reverse
from django.utils.decorators import classonlymethod
+from django.utils.log import log_response
logger = logging.getLogger('django.request')
@@ -97,11 +98,12 @@ class View:
return handler(request, *args, **kwargs)
def http_method_not_allowed(self, request, *args, **kwargs):
- logger.warning(
+ response = HttpResponseNotAllowed(self._allowed_methods())
+ log_response(
'Method Not Allowed (%s): %s', request.method, request.path,
- extra={'status_code': 405, 'request': request}
+ response=response, request=request
)
- return HttpResponseNotAllowed(self._allowed_methods())
+ return response
def options(self, request, *args, **kwargs):
"""Handle responding to requests for the OPTIONS HTTP verb."""
@@ -192,11 +194,9 @@ class RedirectView(View):
else:
return HttpResponseRedirect(url)
else:
- logger.warning(
- 'Gone: %s', request.path,
- extra={'status_code': 410, 'request': request}
- )
- return HttpResponseGone()
+ response = HttpResponseGone()
+ log_response("Gone: %s", request.path, response=response, request=request)
+ return response
def head(self, request, *args, **kwargs):
return self.get(request, *args, **kwargs)
Index: Django-2.2.28/docs/releases/4.2.23.txt
===================================================================
--- /dev/null
+++ Django-2.2.28/docs/releases/4.2.23.txt
@@ -0,0 +1,14 @@
+===========================
+Django 4.2.23 release notes
+===========================
+
+*June 10, 2025*
+
+Django 4.2.23 fixes a potential log injection issue in 4.2.22.
+
+Bugfixes
+========
+
+* Fixed a log injection possibility by migrating remaining response logging
+ to ``django.utils.log.log_response()``, which safely escapes arguments such
+ as the request path to prevent unsafe log output (:cve:`2025-48432`).
Index: Django-2.2.28/django/utils/log.py
===================================================================
--- Django-2.2.28.orig/django/utils/log.py
+++ Django-2.2.28/django/utils/log.py
@@ -7,7 +7,6 @@ from django.core import mail
from django.core.mail import get_connection
from django.core.management.color import color_style
from django.utils.module_loading import import_string
-from django.views.debug import ExceptionReporter
request_logger = logging.getLogger('django.request')
@@ -116,6 +115,8 @@ class AdminEmailHandler(logging.Handler)
else:
exc_info = (None, record.getMessage(), None)
+ # breaking a cycle with django/views/generic/base.py
+ from django.views.debug import ExceptionReporter
reporter = ExceptionReporter(request, is_email=True, *exc_info)
message = "%s\n\n%s" % (self.format(no_exc_record), reporter.get_traceback_text())
html_message = reporter.get_traceback_html() if self.include_html else None
