escape individual cookie values from $cookie_*

These values are untrusted, so if any client sends them to us
we must escape them.

1 files changed, 1 insertions, 2 deletions

diff --git a/ext/clogger_ext/clogger.c b/ext/clogger_ext/clogger.c
index c1e3eb4..857ed9a 100644
--- a/ext/clogger_ext/clogger.c
+++ b/ext/clogger_ext/clogger.c
@@ -572,8 +572,7 @@ static void append_cookie(struct clogger *c, VALUE key)
                 cookie = g_dash;
         } else {
                 cookie = rb_hash_aref(c->cookies, key);
-                if (NIL_P(cookie))
-                        cookie = g_dash;
+                cookie = NIL_P(cookie) ? g_dash : byte_xs(cookie);
         }
         rb_str_buf_append(c->log_buf, cookie);
 }