Merge remote-tracking branch 'upstream/main'

Author: dan-mm

django/db/models/fields/related_descriptors.py

@@ -169,8 +169,11 @@ def get_prefetch_querysets(self, instances, querysets=None):
         rel_obj_attr = self.field.get_foreign_related_value
         instance_attr = self.field.get_local_related_value
         instances_dict = {instance_attr(inst): inst for inst in instances}
-        related_fields = self.field.foreign_related_fields
         remote_field = self.field.remote_field
+        related_fields = [
+            queryset.query.resolve_ref(field.name).target
+            for field in self.field.foreign_related_fields
+        ]
         queryset = queryset.filter(
             TupleIn(
                 ColPairs(

django/utils/log.py

@@ -245,9 +245,14 @@ def log_response(
         else:
             level = "info"
 
+    escaped_args = tuple(
+        a.encode("unicode_escape").decode("ascii") if isinstance(a, str) else a
+        for a in args
+    )
+
     getattr(logger, level)(
         message,
-        *args,
+        *escaped_args,
         extra={
             "status_code": response.status_code,
             "request": request,

docs/releases/4.2.22.txt

@@ -5,3 +5,17 @@ Django 4.2.22 release notes
 *June 4, 2025*
 
 Django 4.2.22 fixes a security issue with severity "low" in 4.2.21.
+
+CVE-2025-48432: Potential log injection via unescaped request path
+==================================================================
+
+Internal HTTP response logging used ``request.path`` directly, allowing control
+characters (e.g. newlines or ANSI escape sequences) to be written unescaped
+into logs. This could enable log injection or forgery, letting attackers
+manipulate log appearance or structure, especially in logs processed by
+external systems or viewed in terminals.
+
+Although this does not directly impact Django's security model, it poses risks
+when logs are consumed or interpreted by other tools. To fix this, the internal
+``django.utils.log.log_response()`` function now escapes all positional
+formatting arguments using a safe encoding.

docs/releases/5.1.10.txt

@@ -5,3 +5,17 @@ Django 5.1.10 release notes
 *June 4, 2025*
 
 Django 5.1.10 fixes a security issue with severity "low" in 5.1.9.
+
+CVE-2025-48432: Potential log injection via unescaped request path
+==================================================================
+
+Internal HTTP response logging used ``request.path`` directly, allowing control
+characters (e.g. newlines or ANSI escape sequences) to be written unescaped
+into logs. This could enable log injection or forgery, letting attackers
+manipulate log appearance or structure, especially in logs processed by
+external systems or viewed in terminals.
+
+Although this does not directly impact Django's security model, it poses risks
+when logs are consumed or interpreted by other tools. To fix this, the internal
+``django.utils.log.log_response()`` function now escapes all positional
+formatting arguments using a safe encoding.

docs/releases/5.2.2.txt

@@ -7,6 +7,20 @@ Django 5.2.2 release notes
 Django 5.2.2 fixes a security issue with severity "low" and several bugs in
 5.2.1.
 
+CVE-2025-48432: Potential log injection via unescaped request path
+==================================================================
+
+Internal HTTP response logging used ``request.path`` directly, allowing control
+characters (e.g. newlines or ANSI escape sequences) to be written unescaped
+into logs. This could enable log injection or forgery, letting attackers
+manipulate log appearance or structure, especially in logs processed by
+external systems or viewed in terminals.
+
+Although this does not directly impact Django's security model, it poses risks
+when logs are consumed or interpreted by other tools. To fix this, the internal
+``django.utils.log.log_response()`` function now escapes all positional
+formatting arguments using a safe encoding.
+
 Bugfixes
 ========
 
@@ -43,3 +57,7 @@ Bugfixes
   <django.http.HttpRequest.get_preferred_type>` did not account for media type
   parameters in ``Accept`` headers, reducing specificity in content negotiation
   (:ticket:`36411`).
+
+* Fixed a regression in Django 5.2 that caused a crash when using
+  ``QuerySet.prefetch_related()`` to prefetch a foreign key with a ``Prefetch``
+  queryset for a subclass of the foreign target (:ticket:`36432`).

docs/releases/5.2.3.txt

@@ -0,0 +1,12 @@
+==========================
+Django 5.2.3 release notes
+==========================
+
+*Expected July 2, 2025*
+
+Django 5.2.3 fixes several bugs in 5.2.2.
+
+Bugfixes
+========
+
+* ...

docs/releases/index.txt

@@ -32,6 +32,7 @@ versions of the documentation contain the release notes for any later releases.
 .. toctree::
    :maxdepth: 1
 
+   5.2.3
    5.2.2
    5.2.1
    5.2

docs/releases/security.txt

@@ -36,6 +36,17 @@ Issues under Django's security process
 All security issues have been handled under versions of Django's security
 process. These are listed below.
 
+June 4, 2025 - :cve:`2025-48432`
+--------------------------------
+
+Potential log injection via unescaped request path.
+`Full description
+<https://www.djangoproject.com/weblog/2025/jun/04/security-releases/>`__
+
+* Django 5.2 :commit:`(patch) <7456aa23dafa149e65e62f95a6550cdb241d55ad>`
+* Django 5.1 :commit:`(patch) <596542ddb46cdabe011322917e1655f0d24eece2>`
+* Django 4.2 :commit:`(patch) <ac03c5e7df8680c61cdb0d3bdb8be9095dba841e>`
+
 May 7, 2025 - :cve:`2025-32873`
 -------------------------------
 

tests/logging_tests/tests.py

@@ -147,6 +147,14 @@ def test_page_not_found_warning(self):
             msg="Not Found: /does_not_exist/",
         )
 
+    def test_control_chars_escaped(self):
+        self.assertLogsRequest(
+            url="/%1B[1;31mNOW IN RED!!!1B[0m/",
+            level="WARNING",
+            status_code=404,
+            msg=r"Not Found: /\x1b[1;31mNOW IN RED!!!1B[0m/",
+        )
+
     async def test_async_page_not_found_warning(self):
         logger = "django.request"
         level = "WARNING"
@@ -155,6 +163,16 @@ async def test_async_page_not_found_warning(self):
 
         self.assertLogRecord(cm, level, "Not Found: /does_not_exist/", 404)
 
+    async def test_async_control_chars_escaped(self):
+        logger = "django.request"
+        level = "WARNING"
+        with self.assertLogs(logger, level) as cm:
+            await self.async_client.get(r"/%1B[1;31mNOW IN RED!!!1B[0m/")
+
+        self.assertLogRecord(
+            cm, level, r"Not Found: /\x1b[1;31mNOW IN RED!!!1B[0m/", 404
+        )
+
     def test_page_not_found_raised(self):
         self.assertLogsRequest(
             url="/does_not_exist_raised/",
@@ -705,6 +723,7 @@ def assertResponseLogged(self, logger_cm, msg, levelno, status_code, request):
         self.assertEqual(record.levelno, levelno)
         self.assertEqual(record.status_code, status_code)
         self.assertEqual(record.request, request)
+        return record
 
     def test_missing_response_raises_attribute_error(self):
         with self.assertRaises(AttributeError):
@@ -806,3 +825,64 @@ def test_logs_with_custom_logger(self):
         self.assertEqual(
             f"WARNING:my.custom.logger:{msg}", log_stream.getvalue().strip()
         )
+
+    def test_unicode_escape_escaping(self):
+        test_cases = [
+            # Control characters.
+            ("line\nbreak", "line\\nbreak"),
+            ("carriage\rreturn", "carriage\\rreturn"),
+            ("tab\tseparated", "tab\\tseparated"),
+            ("formfeed\f", "formfeed\\x0c"),
+            ("bell\a", "bell\\x07"),
+            ("multi\nline\ntext", "multi\\nline\\ntext"),
+            # Slashes.
+            ("slash\\test", "slash\\\\test"),
+            ("back\\slash", "back\\\\slash"),
+            # Quotes.
+            ('quote"test"', 'quote"test"'),
+            ("quote'test'", "quote'test'"),
+            # Accented, composed characters, emojis and symbols.
+            ("café", "caf\\xe9"),
+            ("e\u0301", "e\\u0301"),  # e + combining acute
+            ("smile🙂", "smile\\U0001f642"),
+            ("weird ☃️", "weird \\u2603\\ufe0f"),
+            # Non-Latin alphabets.
+            ("Привет", "\\u041f\\u0440\\u0438\\u0432\\u0435\\u0442"),
+            ("你好", "\\u4f60\\u597d"),
+            # ANSI escape sequences.
+            ("escape\x1b[31mred\x1b[0m", "escape\\x1b[31mred\\x1b[0m"),
+            (
+                "/\x1b[1;31mCAUTION!!YOU ARE PWNED\x1b[0m/",
+                "/\\x1b[1;31mCAUTION!!YOU ARE PWNED\\x1b[0m/",
+            ),
+            (
+                "/\r\n\r\n1984-04-22 INFO    Listening on 0.0.0.0:8080\r\n\r\n",
+                "/\\r\\n\\r\\n1984-04-22 INFO    Listening on 0.0.0.0:8080\\r\\n\\r\\n",
+            ),
+            # Plain safe input.
+            ("normal-path", "normal-path"),
+            ("slash/colon:", "slash/colon:"),
+            # Non strings.
+            (0, "0"),
+            ([1, 2, 3], "[1, 2, 3]"),
+            ({"test": "🙂"}, "{'test': '🙂'}"),
+        ]
+
+        msg = "Test message: %s"
+        for case, expected in test_cases:
+            with (
+                self.assertLogs("django.request", level="ERROR") as cm,
+                self.subTest(case=case),
+            ):
+                response = HttpResponse(status=318)
+                log_response(msg, case, response=response, level="error")
+
+                record = self.assertResponseLogged(
+                    cm,
+                    msg % expected,
+                    levelno=logging.ERROR,
+                    status_code=318,
+                    request=None,
+                )
+                # Log record is always a single line.
+                self.assertEqual(len(record.getMessage().splitlines()), 1)

tests/prefetch_related/models.py

@@ -280,6 +280,10 @@ class Meta:
         ordering = ["id"]
 
 
+class SelfDirectedEmployee(Employee):
+    pass
+
+
 # Ticket #19607