Overview

File test-helper4.patch of Package python-Django.39541

From 10ba3f78da2e22bd232dc085e2a8a7c293c3fb73 Mon Sep 17 00:00:00 2001
From: Natalia <124304+nessita@users.noreply.github.com>
Date: Thu, 5 Jun 2025 10:07:17 -0300
Subject: [PATCH] [4.2.x] Refs CVE-2025-48432 -- Made SuspiciousOperation
 logging use log_response() for consistency.

Backport of ff835f439cb1ecd8d74a24de12e3c03e5477dc9d from main.
---
 django/core/handlers/exception.py | 21 +++++++++++----------
 tests/logging_tests/tests.py      |  9 +++++++++
 2 files changed, 20 insertions(+), 10 deletions(-)

diff --git a/django/core/handlers/exception.py b/django/core/handlers/exception.py
index a63291f3b94c..1243734705e8 100644
--- a/django/core/handlers/exception.py
+++ b/django/core/handlers/exception.py
@@ -116,16 +116,6 @@ def response_for_exception(request, exc):
             # exception would be raised.
             request._mark_post_parse_error()
 
-        # The request logger receives events for any problematic request
-        # The security logger receives events for all SuspiciousOperations
-        security_logger = logging.getLogger(
-            "django.security.%s" % exc.__class__.__name__
-        )
-        security_logger.error(
-            str(exc),
-            exc_info=exc,
-            extra={"status_code": 400, "request": request},
-        )
         if settings.DEBUG:
             response = debug.technical_500_response(
                 request, *sys.exc_info(), status_code=400
@@ -134,6 +124,17 @@ def response_for_exception(request, exc):
             response = get_exception_response(
                 request, get_resolver(get_urlconf()), 400, exc
             )
+        # The logger is set to django.security, which specifically captures
+        # SuspiciousOperation events, unlike the default django.request logger.
+        security_logger = logging.getLogger(f"django.security.{exc.__class__.__name__}")
+        log_response(
+            str(exc),
+            exception=exc,
+            request=request,
+            response=response,
+            level="error",
+            logger=security_logger,
+        )
 
     else:
         signals.got_request_exception.send(sender=None, request=request)
diff --git a/tests/logging_tests/tests.py b/tests/logging_tests/tests.py
index 03409094f23c..bc88749fb7c1 100644
--- a/tests/logging_tests/tests.py
+++ b/tests/logging_tests/tests.py
@@ -597,6 +597,15 @@ def test_suspicious_email_admins(self):
         self.assertEqual(len(mail.outbox), 1)
         self.assertIn("SuspiciousOperation at /suspicious/", mail.outbox[0].body)
 
+    def test_response_logged(self):
+        with self.assertLogs("django.security.SuspiciousOperation", "ERROR") as handler:
+            response = self.client.get("/suspicious/")
+
+        self.assertLogRecord(
+            handler, "dubious", logging.ERROR, 400, request=response.wsgi_request
+        )
+        self.assertEqual(response.status_code, 400)
+
 
 class SettingsCustomLoggingTest(AdminScriptTestCase):
     """
openSUSE Build Service is sponsored by
Places