Escape non-printable characters when logging.

jeremyevans · ioquatix · commit 4aa19786a0aa · 2025-02-12T16:12:46.000+13:00
diff --git a/lib/rack/common_logger.rb b/lib/rack/common_logger.rb
@@ -20,7 +20,7 @@ class CommonLogger
     # The actual format is slightly different than the above due to the
     # separation of SCRIPT_NAME and PATH_INFO, and because the elapsed
     # time in seconds is included at the end.
-    FORMAT = %{%s - %s [%s] "%s %s%s%s %s" %d %s %0.4f\n}
+    FORMAT = %{%s - %s [%s] "%s %s%s%s %s" %d %s %0.4f }
 
     # +logger+ can be any object that supports the +write+ or +<<+ methods,
     # which includes the standard library Logger.  These methods are called
@@ -66,7 +66,8 @@ def log(env, status, response_headers, began_at)
         length,
         Utils.clock_time - began_at)
 
-      msg.gsub!(/[^[:print:]\n]/) { |c| sprintf("\\x%x", c.ord) }
+      msg.gsub!(/[^[:print:]]/) { |c| sprintf("\\x%x", c.ord) }
+      msg[-1] = "\n"
 
       logger = @logger || request.get_header(RACK_ERRORS)
       # Standard library logger doesn't support write but it supports << which actually
diff --git a/test/spec_common_logger.rb b/test/spec_common_logger.rb
@@ -107,12 +107,17 @@ def with_mock_time(t = 0)
     (0..1).must_include duration.to_f
   end
 
-  it "escapes non printable characters except newline" do
+  it "escapes non printable characters including newline" do
     logdev = StringIO.new
     log = Logger.new(logdev)
     Rack::MockRequest.new(Rack::CommonLogger.new(app_without_lint, log)).request("GET\x1f", "/hello")
 
     logdev.string.must_match(/GET\\x1f \/hello HTTP\/1\.1/)
+
+    Rack::MockRequest.new(Rack::CommonLogger.new(app, log)).get("/", 'REMOTE_USER' => "foo\nbar", "QUERY_STRING" => "bar\nbaz")
+    logdev.string[-1].must_equal "\n"
+    logdev.string.must_include("foo\\xabar")
+    logdev.string.must_include("bar\\xabaz")
   end
 
   it "log path with PATH_INFO" do
