[CalendarServer-changes] [5287] CalendarServer/trunk/calendarserver/accesslog.py
source_changes at macosforge.org
source_changes at macosforge.org
Thu Mar 11 16:44:32 PST 2010
Revision: 5287
http://trac.macosforge.org/projects/calendarserver/changeset/5287
Author: dre at apple.com
Date: 2010-03-11 16:44:30 -0800 (Thu, 11 Mar 2010)
Log Message:
-----------
Sanitize log output to mitigate injection
Modified Paths:
--------------
CalendarServer/trunk/calendarserver/accesslog.py
Modified: CalendarServer/trunk/calendarserver/accesslog.py
===================================================================
--- CalendarServer/trunk/calendarserver/accesslog.py 2010-03-11 21:47:50 UTC (rev 5286)
+++ CalendarServer/trunk/calendarserver/accesslog.py 2010-03-12 00:44:30 UTC (rev 5287)
@@ -162,6 +162,16 @@
"outstandingRequests" : request.chanRequest.channel.factory.outstandingRequests,
"fwd" : forwardedFor,
}
+
+ # sanitize output to mitigate log injection
+ for k,v in formatArgs.items():
+ if not isinstance(v, basestring):
+ continue
+ v = v.replace("\r", "\\r")
+ v = v.replace("\n", "\\n")
+ v = v.replace("\"", "\\\"")
+ formatArgs[k] = v
+
self.logMessage(format % formatArgs)
elif "overloaded" in eventDict:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20100311/cf77ea2f/attachment.html>
More information about the calendarserver-changes
mailing list