Skip to content

[3.14] gh-94503: Update logging cookbook example with info on addressing log injection. (GH-136446) #136449

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jul 9, 2025
+36 −0
Merged

[3.14] gh-94503: Update logging cookbook example with info on addressing log injection. (GH-136446) #136449

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 36 additions & 0 deletions Doc/howto/logging-cookbook.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4140,6 +4140,42 @@ The script, when run, prints something like:
2025-07-02 13:54:47,234 DEBUG fool me ...
2025-07-02 13:54:47,234 DEBUG can't get fooled again

If, on the other hand, you are concerned about `log injection
<https://owasp.org/www-community/attacks/Log_Injection>`_, you can use a
formatter which escapes newlines, as per the following example:

.. code-block:: python

import logging

logger = logging.getLogger(__name__)

class EscapingFormatter(logging.Formatter):
def format(self, record):
s = super().format(record)
return s.replace('\n', r'\n')

if __name__ == '__main__':
h = logging.StreamHandler()
h.setFormatter(EscapingFormatter('%(asctime)s %(levelname)-9s %(message)s'))
logging.basicConfig(level=logging.DEBUG, handlers = [h])
logger.debug('Single line')
logger.debug('Multiple lines:\nfool me once ...')
logger.debug('Another single line')
logger.debug('Multiple lines:\n%s', 'fool me ...\ncan\'t get fooled again')

You can, of course, use whatever escaping scheme makes the most sense for you.
The script, when run, should produce output like this:

.. code-block:: text

2025-07-09 06:47:33,783 DEBUG Single line
2025-07-09 06:47:33,783 DEBUG Multiple lines:\nfool me once ...
2025-07-09 06:47:33,783 DEBUG Another single line
2025-07-09 06:47:33,783 DEBUG Multiple lines:\nfool me ...\ncan't get fooled again

Escaping behaviour can't be the stdlib default , as it would break backwards
compatibility.

.. patterns-to-avoid:

Expand Down
Loading