Changes between Initial Version and Version 4 of Ticket #36470
- Timestamp:
- Jun 18, 2025, 9:00:19 AM (3 months ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #36470
- Property Triage Stage Unreviewed → Accepted
- Property Cc added
-
Ticket #36470 – Description
initial v4 1 `django.core.servers.basehttp.WSGIRequestHandler.log_ response()` may emit log records that are not properly escaped or sanitized, making it possible for specially crafted requests to inject terminal escape sequences or misleading log content. This only affects the internal development server (`runserver` command). Per the documentation, this server is not intended for production use and has not been security-audited.1 `django.core.servers.basehttp.WSGIRequestHandler.log_message()` may emit log records that are not properly escaped or sanitized, making it possible for specially crafted requests to inject terminal escape sequences or misleading log content. This only affects the internal development server (`runserver` command). Per the documentation, this server is not intended for production use and has not been security-audited. 2 2 3 3 Although this is not considered a vulnerability, a fix for defense-in-depth should be applied, also to avoid confusion and future security reports about the same thing. This fix would be in line to what [https://github.com/python/cpython/blob/1c7efaf58a62d848421b2da97360ba3df7d7856b/Lib/http/server.py#L626 Python does for esacaping].