From: Eric Wong <normalperson@yhbt.net>
Date: Tue, 6 Dec 2011 01:59:40 +0000 (-0800)
Subject: escape individual cookie values from $cookie_*
X-Git-Tag: v1.1.0~1
X-Git-Url: https://repo.or.cz/w/clogger.git/commitdiff_plain/3a47f23e74a681339f74b21b94241dcfe9542472

escape individual cookie values from $cookie_*

These values are untrusted, so if any client sends them to us
we must escape them.
---

diff --git a/ext/clogger_ext/clogger.c b/ext/clogger_ext/clogger.c
index c1e3eb4..857ed9a 100644
--- a/ext/clogger_ext/clogger.c
+++ b/ext/clogger_ext/clogger.c
@@ -572,8 +572,7 @@ static void append_cookie(struct clogger *c, VALUE key)
 		cookie = g_dash;
 	} else {
 		cookie = rb_hash_aref(c->cookies, key);
-		if (NIL_P(cookie))
-			cookie = g_dash;
+		cookie = NIL_P(cookie) ? g_dash : byte_xs(cookie);
 	}
 	rb_str_buf_append(c->log_buf, cookie);
 }
diff --git a/lib/clogger/pure.rb b/lib/clogger/pure.rb
index 8c3d3dc..24392e7 100644
--- a/lib/clogger/pure.rb
+++ b/lib/clogger/pure.rb
@@ -177,7 +177,7 @@ private
         t = Time.now
         time_format(t.to_i, t.usec, op[1], op[2])
       when OP_COOKIE
-        (env['rack.request.cookie_hash'][op[1]] rescue "-") || "-"
+        (byte_xs(env['rack.request.cookie_hash'][op[1]]) rescue "-") || "-"
       else
         raise "EDOOFUS #{op.inspect}"
       end
diff --git a/test/test_clogger.rb b/test/test_clogger.rb
index 10640e2..14613e0 100644
--- a/test/test_clogger.rb
+++ b/test/test_clogger.rb
@@ -424,9 +424,9 @@ class TestClogger < Test::Unit::TestCase
     cl = Clogger.new(app,
         :format => '$cookie_foo $cookie_quux',
         :logger => str)
-    req = @req.merge('HTTP_COOKIE' => "foo=bar;quux=h&m")
+    req = @req.merge('HTTP_COOKIE' => "foo=bar;quux=h%7F&m")
     status, headers, body = cl.call(req)
-    assert_equal "bar h&m\n", str.string
+    assert_equal "bar h\\x7F&m\n", str.string
   end
 
   def test_bogus_app_response