Fixed #36470 -- Potential log injection in development server (runserver) logging by YashRaj1506 · Pull Request #19593 · django/django · GitHub | Latest TMZ Celebrity News & Gossip | Watch TMZ Live
Skip to content

Fixed #36470 -- Potential log injection in development server (runserver) logging #19593

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Fixed #36470 -- Potential log injection in development server (runserver) logging #19593

wants to merge 2 commits into from

Conversation

YashRaj1506
Copy link
Contributor

@YashRaj1506 YashRaj1506 commented Jun 25, 2025
edited
Loading

Fixed #36470 -- Potential log injection in development server (runserver) logging

Trac ticket number

ticket-36470

Branch description

Fixed a log injection issue in Django's development server by escaping all control characters in user inputs passed to log_message(), and verified this behavior through tests.

Checklist

  • This PR targets the main branch.
  • The commit message is written in past tense, mentions the ticket number, and ends with a period.
  • I have checked the "Has patch" ticket flag in the Trac system.
  • I have added or updated relevant tests.
  • I have added or updated relevant docs, including release notes if applicable.
  • I have attached screenshots in both light and dark modes for any UI changes.

@YashRaj1506
Copy link
Contributor Author

YashRaj1506 commented Jun 25, 2025
edited
Loading

@nessita I have followed the approach you suggested, i used the logic from log_response() for escaping part. Does this look good to you? I ran the tests and it worked. Would love to know your opinion over this.

@nessita
Copy link
Contributor

nessita commented Jun 25, 2025

@nessita I have followed the approach you suggested, i used the logic from log_response() for escaping part. Does this look good to you? I ran the tests and it worked. Would love to know your opinion over this.

It looks quite good, thank you!

I was wondering if we could fully reuse log_response since the helper would allow response and other attrs to be None. Did you consider this? Would there be a blocker?

@nessita nessita mentioned this pull request Jun 25, 2025
Closed
6 tasks
@YashRaj1506
Copy link
Contributor Author

YashRaj1506 commented Jun 25, 2025
edited
Loading

@nessita I have followed the approach you suggested, i used the logic from log_response() for escaping part. Does this look good to you? I ran the tests and it worked. Would love to know your opinion over this.

It looks quite good, thank you!

I was wondering if we could fully reuse log_response since the helper would allow response and other attrs to be None. Did you consider this? Would there be a blocker?

Thank you! and about reusing the log_response(), I did some research and found that we use log_message() before the request passes by anything (directly logged into our dev server, even before hitting the middlewares or views logics), but we use log_response() when we have a proper httpresponse object which is the part after we hit the views logic in the codebase. So reusing log_response() doesnt seem like very viable to me, and our major target being handling the log injection, we use part of log_response() which solves it. (But yeah sure if we could have handled the other attrs to be None, would have been great) So yeah there are some blockers here.

What are your opinions on this @nessita ?

@YashRaj1506
Copy link
Contributor Author

@nessita i just wanted to know more of your opinions on this pr, if there is something i should look into? or the changes are satisfactory?

@shangxiao
Copy link
Contributor

@YashRaj1506 pls stop pinging people directly, the reviewers have this on their list of things to look at and it's unnecessary to burden them with further notifications 👍

@YashRaj1506
Copy link
Contributor Author

@shangxiao Totally! I get it!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@YashRaj1506 @nessita @shangxiao

TMZ Celebrity News – Breaking Stories, Videos & Gossip

Looking for the latest TMZ celebrity news? You've come to the right place. From shocking Hollywood scandals to exclusive videos, TMZ delivers it all in real time.

Whether it’s a red carpet slip-up, a viral paparazzi moment, or a legal drama involving your favorite stars, TMZ news is always first to break the story. Stay in the loop with daily updates, insider tips, and jaw-dropping photos.

🎥 Watch TMZ Live

TMZ Live brings you daily celebrity news and interviews straight from the TMZ newsroom. Don’t miss a beat—watch now and see what’s trending in Hollywood.