Opened 3 months ago
Last modified 2 months ago
#36470 assigned Cleanup/optimization
Potential log injection in development server (runserver) logging
Reported by: | Natalia Bidart | Owned by: | YashRaj1506 |
---|---|---|---|
Component: | Core (Management commands) | Version: | dev |
Severity: | Normal | Keywords: | runserver log_message |
Cc: | Jake Howard | Triage Stage: | Accepted |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | yes |
Easy pickings: | no | UI/UX: | no |
Description (last modified by )
django.core.servers.basehttp.WSGIRequestHandler.log_message()
may emit log records that are not properly escaped or sanitized, making it possible for specially crafted requests to inject terminal escape sequences or misleading log content. This only affects the internal development server (runserver
command). Per the documentation, this server is not intended for production use and has not been security-audited.
Although this is not considered a vulnerability, a fix for defense-in-depth should be applied, also to avoid confusion and future security reports about the same thing. This fix would be in line to what Python does for esacaping.
Thanks to "Kainan Zhang (@4xpl0r3r) from Fortinet" for the report in the security mailing list.
Change History (7)
comment:1 by , 3 months ago
Triage Stage: | Unreviewed → Accepted |
---|
comment:2 by , 3 months ago
Cc: | added |
---|
comment:3 by , 3 months ago
comment:4 by , 3 months ago
Description: | modified (diff) |
---|
comment:5 by , 2 months ago
Owner: | set to |
---|---|
Status: | new → assigned |
comment:6 by , 2 months ago
Has patch: | set |
---|
I noticed this ticket was recently assigned.
I’ve already submitted a PR to fix the issue, including a regression test:
https://github.com/django/django/pull/19592
Happy to collaborate if needed!
This patch strips ANSI escape codes from log_message() arguments in the development server to prevent terminal log injection.
It includes a regression test to verify the behavior.
comment:7 by , 2 months ago
Patch needs improvement: | set |
---|
I think that an ideal solution would be to use
django.utils.log.log_response()
to implemenetdjango.core.servers.basehttp.WSGIRequestHandler.log_message()
.