id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
36470	Potential log injection in development server (runserver) logging	Natalia Bidart	YashRaj1506	"`django.core.servers.basehttp.WSGIRequestHandler.log_message()` may emit log records that are not properly escaped or sanitized, making it possible for specially crafted requests to inject terminal escape sequences or misleading log content. This only affects the internal development server (`runserver` command). Per the documentation, this server is not intended for production use and has not been security-audited.

Although this is not considered a vulnerability, a fix for defense-in-depth should be applied, also to avoid confusion and future security reports about the same thing. This fix would be in line to what [https://github.com/python/cpython/blob/1c7efaf58a62d848421b2da97360ba3df7d7856b/Lib/http/server.py#L626 Python does for esacaping].

Thanks to ""Kainan Zhang (@4xpl0r3r) from Fortinet"" for the report in the security mailing list."	Cleanup/optimization	closed	Core (Management commands)	dev	Normal	fixed	runserver log_message	Jake Howard	Accepted	1	0	0	0	0	0