Refs CVE-2025-48432 -- Made SuspiciousOperation logging use log_response() for consistency.

nessita · nessita · commit ff835f439cb1 · 2025-06-06T09:05:32.000-03:00
diff --git a/django/core/handlers/exception.py b/django/core/handlers/exception.py
@@ -116,16 +116,6 @@ def response_for_exception(request, exc):
             # exception would be raised.
             request._mark_post_parse_error()
 
-        # The request logger receives events for any problematic request
-        # The security logger receives events for all SuspiciousOperations
-        security_logger = logging.getLogger(
-            "django.security.%s" % exc.__class__.__name__
-        )
-        security_logger.error(
-            str(exc),
-            exc_info=exc,
-            extra={"status_code": 400, "request": request},
-        )
         if settings.DEBUG:
             response = debug.technical_500_response(
                 request, *sys.exc_info(), status_code=400
@@ -134,6 +124,17 @@ def response_for_exception(request, exc):
             response = get_exception_response(
                 request, get_resolver(get_urlconf()), 400, exc
             )
+        # The logger is set to django.security, which specifically captures
+        # SuspiciousOperation events, unlike the default django.request logger.
+        security_logger = logging.getLogger(f"django.security.{exc.__class__.__name__}")
+        log_response(
+            str(exc),
+            exception=exc,
+            request=request,
+            response=response,
+            level="error",
+            logger=security_logger,
+        )
 
     else:
         signals.got_request_exception.send(sender=None, request=request)
diff --git a/tests/logging_tests/tests.py b/tests/logging_tests/tests.py
@@ -618,6 +618,15 @@ def test_suspicious_email_admins(self):
         self.assertEqual(len(mail.outbox), 1)
         self.assertIn("SuspiciousOperation at /suspicious/", mail.outbox[0].body)
 
+    def test_response_logged(self):
+        with self.assertLogs("django.security.SuspiciousOperation", "ERROR") as handler:
+            response = self.client.get("/suspicious/")
+
+        self.assertLogRecord(
+            handler, "dubious", logging.ERROR, 400, request=response.wsgi_request
+        )
+        self.assertEqual(response.status_code, 400)
+
 
 class SettingsCustomLoggingTest(AdminScriptTestCase):
     """
