From 3a47f23e74a681339f74b21b94241dcfe9542472 Mon Sep 17 00:00:00 2001 From: Eric Wong Date: Mon, 5 Dec 2011 17:59:40 -0800 Subject: escape individual cookie values from $cookie_* These values are untrusted, so if any client sends them to us we must escape them. --- ext/clogger_ext/clogger.c | 3 +-- lib/clogger/pure.rb | 2 +- test/test_clogger.rb | 4 ++-- 3 files changed, 4 insertions(+), 5 deletions(-) diff --git a/ext/clogger_ext/clogger.c b/ext/clogger_ext/clogger.c index c1e3eb4..857ed9a 100644 --- a/ext/clogger_ext/clogger.c +++ b/ext/clogger_ext/clogger.c @@ -572,8 +572,7 @@ static void append_cookie(struct clogger *c, VALUE key) cookie = g_dash; } else { cookie = rb_hash_aref(c->cookies, key); - if (NIL_P(cookie)) - cookie = g_dash; + cookie = NIL_P(cookie) ? g_dash : byte_xs(cookie); } rb_str_buf_append(c->log_buf, cookie); } diff --git a/lib/clogger/pure.rb b/lib/clogger/pure.rb index 8c3d3dc..24392e7 100644 --- a/lib/clogger/pure.rb +++ b/lib/clogger/pure.rb @@ -177,7 +177,7 @@ private t = Time.now time_format(t.to_i, t.usec, op[1], op[2]) when OP_COOKIE - (env['rack.request.cookie_hash'][op[1]] rescue "-") || "-" + (byte_xs(env['rack.request.cookie_hash'][op[1]]) rescue "-") || "-" else raise "EDOOFUS #{op.inspect}" end diff --git a/test/test_clogger.rb b/test/test_clogger.rb index 10640e2..14613e0 100644 --- a/test/test_clogger.rb +++ b/test/test_clogger.rb @@ -424,9 +424,9 @@ class TestClogger < Test::Unit::TestCase cl = Clogger.new(app, :format => '$cookie_foo $cookie_quux', :logger => str) - req = @req.merge('HTTP_COOKIE' => "foo=bar;quux=h&m") + req = @req.merge('HTTP_COOKIE' => "foo=bar;quux=h%7F&m") status, headers, body = cl.call(req) - assert_equal "bar h&m\n", str.string + assert_equal "bar h\\x7F&m\n", str.string end def test_bogus_app_response -- cgit v1.2.3-24-ge0c7