Sanitize some trace logs that might contain user input. #24

roblillack · Apr 29, 2022 · fa3955d · fa3955d
1 parent b8b7f93
commit fa3955d
Show file tree

Hide file tree

Showing 5 changed files with 49 additions and 8 deletions.
diff --git a/csrf.go b/csrf.go
@@ -29,12 +29,10 @@ func isSafeMethod(c *Controller) bool {
 
 func findCSRFToken(c *Controller) string {
 	if h := c.Request.Header.Get(csrfHeaderName); h != "" {
-		TRACE.Printf("Have header CSRF token: %s\n", h)
 		return h
 	}
 
 	if f := c.Params.Get(csrfFieldName); f != "" {
-		TRACE.Printf("Have form field CSRF token: %s\n", f)
 		return f
 	}
 
@@ -108,9 +106,6 @@ func CSRFFilter(c *Controller, fc []Filter) {
 	if len(csrfToken) != 22 {
 		csrfToken = generateRandomToken()
 		c.Session[csrfCookieKey] = csrfToken
-		TRACE.Printf("Created session token: %s\n", csrfToken)
-	} else {
-		TRACE.Printf("Browser sent session token: %s\n", csrfToken)
 	}
 
 	c.SetCookie(&http.Cookie{

diff --git a/http.go b/http.go
@@ -136,7 +136,7 @@ func ResolveAcceptLanguage(req *http.Request) AcceptLanguages {
 		if qualifiedRange := strings.Split(languageRange, ";q="); len(qualifiedRange) == 2 {
 			quality, error := strconv.ParseFloat(qualifiedRange[1], 32)
 			if error != nil {
-				WARN.Printf("Detected malformed Accept-Language header quality in '%s', assuming quality is 1", languageRange)
+				WARN.Printf("Detected malformed Accept-Language header quality in '%s', assuming quality is 1", removeLineBreaks(languageRange))
 				acceptLanguages[i] = AcceptLanguage{qualifiedRange[0], 1}
 			} else {
 				acceptLanguages[i] = AcceptLanguage{qualifiedRange[0], float32(quality)}

diff --git a/i18n.go b/i18n.go
@@ -228,7 +228,7 @@ func setCurrentLocaleControllerArguments(c *Controller, locale string) {
 // quality first in the slice.
 func hasAcceptLanguageHeader(request *Request) (bool, string) {
 	if request.AcceptLanguages != nil && len(request.AcceptLanguages) > 0 {
-		return true, request.AcceptLanguages[0].Language
+		return true, removeAllWhitespace(request.AcceptLanguages[0].Language)
 	}
 
 	return false, ""
@@ -239,7 +239,7 @@ func hasLocaleCookie(request *Request) (bool, string) {
 	if request != nil && request.Cookies() != nil {
 		name := Config.StringDefault(localeCookieConfigKey, CookiePrefix+"_LANG")
 		if cookie, error := request.Cookie(name); error == nil {
-			return true, cookie.Value
+			return true, removeAllWhitespace(cookie.Value)
 		} else {
 			TRACE.Printf("Unable to read locale cookie with name '%s': %s", name, error.Error())
 		}

diff --git a/sanitize.go b/sanitize.go
@@ -0,0 +1,13 @@
+package mars
+
+import "regexp"
+
+var lineBreakPattern = regexp.MustCompile(`[\r\n]+`)
+
+func removeLineBreaks(s string) string {
+	return lineBreakPattern.ReplaceAllString(s, " ")
+}
+
+func removeAllWhitespace(s string) string {
+	return whiteSpacePattern.ReplaceAllString(s, "")
+}
diff --git a/sanitize_test.go b/sanitize_test.go
@@ -0,0 +1,33 @@
+package mars
+
+import (
+	"testing"
+)
+
+func TestRemovingLineBreaks(t *testing.T) {
+	for i, exp := range map[string]string{
+		"This is a test.":             "This is a test.",
+		"This is\n a test.":           "This is  a test.",
+		"This is\r a test.":           "This is  a test.",
+		"This is\r\n a test.":         "This is  a test.",
+		"\n\n\n\n\nThis is\r a test.": " This is  a test.",
+	} {
+		if res := removeLineBreaks(i); res != exp {
+			t.Errorf("Unexpected result '%s' when removing line breaks from '%s'.\n", res, i)
+		}
+	}
+}
+
+func TestRemovingAllWhitespace(t *testing.T) {
+	for i, exp := range map[string]string{
+		"This is a test.":             "Thisisatest.",
+		"This is\n a test.":           "Thisisatest.",
+		"This is\r a test.":           "Thisisatest.",
+		"This is\r\n a test.":         "Thisisatest.",
+		"\n\n\n\n\nThis is\r a test.": "Thisisatest.",
+	} {
+		if res := removeAllWhitespace(i); res != exp {
+			t.Errorf("Unexpected result '%s' when removing all whitespace from '%s'.\n", res, i)
+		}
+	}
+}