about summary refs log tree commit homepage
diff options
context:
space:
mode:
authorEric Wong <normalperson@yhbt.net>2011-12-05 17:59:40 -0800
committerEric Wong <normalperson@yhbt.net>2011-12-05 17:59:40 -0800
commit3a47f23e74a681339f74b21b94241dcfe9542472 (patch)
treed29223babb471bbc1a2c42937aa917fab1035236
parentba72b12030864a05fc88bc94a3b699971cc70b0a (diff)
These values are untrusted, so if any client sends them to us
we must escape them.
-rw-r--r--ext/clogger_ext/clogger.c3
-rw-r--r--lib/clogger/pure.rb2
-rw-r--r--test/test_clogger.rb4
3 files changed, 4 insertions, 5 deletions
diff --git a/ext/clogger_ext/clogger.c b/ext/clogger_ext/clogger.c
index c1e3eb4..857ed9a 100644
--- a/ext/clogger_ext/clogger.c
+++ b/ext/clogger_ext/clogger.c
@@ -572,8 +572,7 @@ static void append_cookie(struct clogger *c, VALUE key)
                 cookie = g_dash;
         } else {
                 cookie = rb_hash_aref(c->cookies, key);
-                if (NIL_P(cookie))
-                        cookie = g_dash;
+                cookie = NIL_P(cookie) ? g_dash : byte_xs(cookie);
         }
         rb_str_buf_append(c->log_buf, cookie);
 }
diff --git a/lib/clogger/pure.rb b/lib/clogger/pure.rb
index 8c3d3dc..24392e7 100644
--- a/lib/clogger/pure.rb
+++ b/lib/clogger/pure.rb
@@ -177,7 +177,7 @@ private
         t = Time.now
         time_format(t.to_i, t.usec, op[1], op[2])
       when OP_COOKIE
-        (env['rack.request.cookie_hash'][op[1]] rescue "-") || "-"
+        (byte_xs(env['rack.request.cookie_hash'][op[1]]) rescue "-") || "-"
       else
         raise "EDOOFUS #{op.inspect}"
       end
diff --git a/test/test_clogger.rb b/test/test_clogger.rb
index 10640e2..14613e0 100644
--- a/test/test_clogger.rb
+++ b/test/test_clogger.rb
@@ -424,9 +424,9 @@ class TestClogger < Test::Unit::TestCase
     cl = Clogger.new(app,
         :format => '$cookie_foo $cookie_quux',
         :logger => str)
-    req = @req.merge('HTTP_COOKIE' => "foo=bar;quux=h&m")
+    req = @req.merge('HTTP_COOKIE' => "foo=bar;quux=h%7F&m")
     status, headers, body = cl.call(req)
-    assert_equal "bar h&m\n", str.string
+    assert_equal "bar h\\x7F&m\n", str.string
   end
 
   def test_bogus_app_response