From 8a0bedfdb6b08ebaa8fbb82e20398bea142b2138 Mon Sep 17 00:00:00 2001 From: starlet-dx <15929766099@163.com> Date: Mon, 9 Jun 2025 15:23:07 +0800 Subject: [PATCH] Fix CVE-2025-48432 --- CVE-2025-48432.patch | 72 ++++++++++++++++++++++++++++++++++++++++++++ python-django.spec | 6 +++- 2 files changed, 77 insertions(+), 1 deletion(-) create mode 100644 CVE-2025-48432.patch diff --git a/CVE-2025-48432.patch b/CVE-2025-48432.patch new file mode 100644 index 0000000..969bea2 --- /dev/null +++ b/CVE-2025-48432.patch @@ -0,0 +1,72 @@ +From: Natalia <124304+nessita@users.noreply.github.com> +Date: Tue, 20 May 2025 15:29:52 -0300 +Subject: [PATCH] [4.2.x] Fixed CVE-2025-48432 -- Escaped formatting arguments + in \log_response()`. + +Suitably crafted requests containing a CRLF sequence in the request +path may have allowed log injection, potentially corrupting log files, +obscuring other attacks, misleading log post-processing tools, or +forging log entries. + +To mitigate this, all positional formatting arguments passed to the +logger are now escaped using "unicode_escape" encoding. + +Thanks to Seokchan Yoon (https://ch4n3.kr/) for the report. + +Co-authored-by: Carlton Gibson +Co-authored-by: Jake Howard + +Backport of a07ebec5591e233d8bbb38b7d63f35c5479eef0e from main. +--- + django/utils/log.py | 7 ++++++- + tests/logging_tests/tests.py | 18 ++++++++++++++++++ + 2 files changed, 24 insertions(+), 1 deletion(-) + +diff --git a/django/utils/log.py b/django/utils/log.py +index 2de6dbbb598c..ff68a32016a0 100644 +--- a/django/utils/log.py ++++ b/django/utils/log.py +@@ -219,8 +219,13 @@ def log_response(message, *args, response=None, request=None, logger=request_log + else: + level = 'info' + ++ escaped_args = tuple( ++ a.encode("unicode_escape").decode("ascii") if isinstance(a, str) else a ++ for a in args ++ ) ++ + getattr(logger, level)( +- message, *args, ++ message, *escaped_args, + extra={ + 'status_code': response.status_code, + 'request': request, +diff --git a/tests/logging_tests/tests.py b/tests/logging_tests/tests.py +index 3ab905eab6c1..97af570915fc 100644 +--- a/tests/logging_tests/tests.py ++++ b/tests/logging_tests/tests.py +@@ -148,6 +148,24 @@ class HandlerLoggingTests(SetupDefaultLoggingMixin, LoggingAssertionMixin, Loggi + msg='Not Found: /does_not_exist/', + ) + ++ def test_control_chars_escaped(self): ++ self.assertLogsRequest( ++ url="/%1B[1;31mNOW IN RED!!!1B[0m/", ++ level="WARNING", ++ status_code=404, ++ msg=r"Not Found: /\x1b[1;31mNOW IN RED!!!1B[0m/", ++ ) ++ ++ async def test_async_control_chars_escaped(self): ++ logger = "django.request" ++ level = "WARNING" ++ with self.assertLogs(logger, level) as cm: ++ await self.async_client.get(r"/%1B[1;31mNOW IN RED!!!1B[0m/") ++ ++ self.assertLogRecord( ++ cm, level, r"Not Found: /\x1b[1;31mNOW IN RED!!!1B[0m/", 404 ++ ) ++ + def test_page_not_found_raised(self): + self.assertLogsRequest( + url='/does_not_exist_raised/', diff --git a/python-django.spec b/python-django.spec index 8de4e2c..e2788cf 100644 --- a/python-django.spec +++ b/python-django.spec @@ -1,7 +1,7 @@ %global _empty_manifest_terminate_build 0 Name: python-django Version: 2.2.27 -Release: 16 +Release: 17 Summary: A high-level Python Web framework that encourages rapid development and clean, pragmatic design. License: Apache-2.0 and Python-2.0 and OFL-1.1 and MIT URL: https://www.djangoproject.com/ @@ -40,6 +40,7 @@ Patch21: CVE-2024-53907.patch Patch22: CVE-2024-56374.patch Patch23: CVE-2025-26699.patch Patch24: CVE-2025-32873.patch +Patch25: CVE-2025-48432.patch BuildArch: noarch %description @@ -106,6 +107,9 @@ mv %{buildroot}/doclist.lst . %{_docdir}/* %changelog +* Mon Jun 09 2025 yaoxin <1024769339@qq.com> - 2.2.27-17 +- Fix CVE-2025-48432 + * Fri May 09 2025 yaoxin <1024769339@qq.com> - 2.2.27-16 - Fix CVE-2025-32873 -- Gitee