Overview

File CVE-2025-48432.patch of Package python-Django.18994

From ac03c5e7df8680c61cdb0d3bdb8be9095dba841e Mon Sep 17 00:00:00 2001
From: Natalia <124304+nessita@users.noreply.github.com>
Date: Tue, 20 May 2025 15:29:52 -0300
Subject: [PATCH] [4.2.x] Fixed CVE-2025-48432 -- Escaped formatting arguments
 in `log_response()`.

Suitably crafted requests containing a CRLF sequence in the request
path may have allowed log injection, potentially corrupting log files,
obscuring other attacks, misleading log post-processing tools, or
forging log entries.

To mitigate this, all positional formatting arguments passed to the
logger are now escaped using "unicode_escape" encoding.

Thanks to Seokchan Yoon (https://ch4n3.kr/) for the report.

Co-authored-by: Carlton Gibson <carlton@noumenal.es>
Co-authored-by: Jake Howard <git@theorangeone.net>

Backport of a07ebec5591e233d8bbb38b7d63f35c5479eef0e from main.
---
 django/utils/log.py          |  7 +++-
 docs/releases/4.2.22.txt     | 14 +++++++
 tests/logging_tests/tests.py | 79 +++++++++++++++++++++++++++++++++++-
 3 files changed, 98 insertions(+), 2 deletions(-)

Index: Django-2.2.28/django/utils/log.py
===================================================================
--- Django-2.2.28.orig/django/utils/log.py
+++ Django-2.2.28/django/utils/log.py
@@ -219,8 +219,13 @@ def log_response(message, *args, respons
         else:
             level = 'info'
 
+    escaped_args = tuple(
+        a.encode("unicode_escape").decode("ascii") if isinstance(a, str) else a
+        for a in args
+    )
+
     getattr(logger, level)(
-        message, *args,
+        message, *escaped_args,
         extra={
             'status_code': response.status_code,
             'request': request,
Index: Django-2.2.28/tests/logging_tests/tests.py
===================================================================
--- Django-2.2.28.orig/tests/logging_tests/tests.py
+++ Django-2.2.28/tests/logging_tests/tests.py
@@ -148,6 +148,14 @@ class HandlerLoggingTests(SetupDefaultLo
             msg='Not Found: /does_not_exist/',
         )
 
+    def test_control_chars_escaped(self):
+        self.assertLogsRequest(
+            url="/%1B[1;31mNOW IN RED!!!1B[0m/",
+            level="WARNING",
+            status_code=404,
+            msg=r"Not Found: /\x1b[1;31mNOW IN RED!!!1B[0m/",
+        )
+
     def test_page_not_found_raised(self):
         self.assertLogsRequest(
             url='/does_not_exist_raised/',
openSUSE Build Service is sponsored by
Places