mod_lua: escape key/value pairs when setting cookies to prevent header splitting...

author Daniel Gruno <humbedooh@apache.org>

Thu, 27 Mar 2014 10:58:35 +0000 (10:58 +0000)

committer Daniel Gruno <humbedooh@apache.org>

Thu, 27 Mar 2014 10:58:35 +0000 (10:58 +0000)
author Daniel Gruno <humbedooh@apache.org>
Thu, 27 Mar 2014 10:58:35 +0000 (10:58 +0000)
committer Daniel Gruno <humbedooh@apache.org>
Thu, 27 Mar 2014 10:58:35 +0000 (10:58 +0000)
diff --git a/modules/lua/lua_request.c b/modules/lua/lua_request.c

index 652ba4013d4b51c7cecfa10134c1042282585c78..83ecd88cff580cdf24b6c0ba7a17949622846d8a 100644 (file)
--- a/modules/lua/lua_request.c
+++ b/modules/lua/lua_request.c
@@ -2057,6 +2057,10 @@ static int lua_set_cookie(lua_State *L)
          strdomain = apr_psprintf(r->pool, "Domain=%s;", domain);
      }
      
+    /* URL-encode key/value */
+    value = ap_escape_urlencoded(r->pool, value);
+    key = ap_escape_urlencoded(r->pool, key);
+    
      /* Create the header */
      out = apr_psprintf(r->pool, "%s=%s; %s %s %s %s %s", key, value, 
              secure ? "Secure;" : "",
author	Daniel Gruno <humbedooh@apache.org>
	Thu, 27 Mar 2014 10:58:35 +0000 (10:58 +0000)
committer	Daniel Gruno <humbedooh@apache.org>
	Thu, 27 Mar 2014 10:58:35 +0000 (10:58 +0000)