#36470: Potential log injection in development server (runserver) logging
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: (none)
Type: | Status: new
Cleanup/optimization |
Component: Core (Management | Version: dev
commands) |
Severity: Normal | Resolution:
Keywords: runserver | Triage Stage: Accepted
log_message |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Description changed by Natalia Bidart:
Old description:
> `django.core.servers.basehttp.WSGIRequestHandler.log_response()` may emit
> log records that are not properly escaped or sanitized, making it
> possible for specially crafted requests to inject terminal escape
> sequences or misleading log content. This only affects the internal
> development server (`runserver` command). Per the documentation, this
> server is not intended for production use and has not been security-
> audited.
>
> Although this is not considered a vulnerability, a fix for defense-in-
> depth should be applied, also to avoid confusion and future security
> reports about the same thing. This fix would be in line to what
> [https://github.com/python/cpython/blob/1c7efaf58a62d848421b2da97360ba3df7d7856b/Lib/http/server.py#L626
> Python does for esacaping].
>
> Thanks to "Kainan Zhang (@4xpl0r3r) from Fortinet" for the report in the
> security mailing list.
New description:
`django.core.servers.basehttp.WSGIRequestHandler.log_message()` may emit
log records that are not properly escaped or sanitized, making it possible
for specially crafted requests to inject terminal escape sequences or
misleading log content. This only affects the internal development server
(`runserver` command). Per the documentation, this server is not intended
for production use and has not been security-audited.
Although this is not considered a vulnerability, a fix for defense-in-
depth should be applied, also to avoid confusion and future security
reports about the same thing. This fix would be in line to what
[https://github.com/python/cpython/blob/1c7efaf58a62d848421b2da97360ba3df7d7856b/Lib/http/server.py#L626
Python does for esacaping].
Thanks to "Kainan Zhang (@4xpl0r3r) from Fortinet" for the report in the
security mailing list.
--
--
Ticket URL: <https://code.djangoproject.com/ticket/36470#comment:4>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/django-updates/0107019783573437-efeb1247-37fb-42b2-824e-ebaefa51f440-000000%40eu-central-1.amazonses.com.
