From 29e80b4eedadc2afd3f9f36d215076c82982971b Mon Sep 17 00:00:00 2001
From: Lafayette Chamber Singers Webmaster
 <webmaster@lafayettechambersingers.org>
Date: Sun, 14 Sep 2014 20:07:43 -0400
Subject: More cautious escaping of environment values.

Tightened the escaping per this review comment:
http://source.ikiwiki.branchable.com/?p=source.git;a=commitdiff;h=f35fc6a603b5473ce2c07bb0236e28e57f718315

(I didn't introduce a $tmp, as $val was local to that block already, and each
hex encoding is in its own C string literal to avoid consuming subsequent
chars that are valid hex digits.)
---
 IkiWiki/Wrapper.pm | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'IkiWiki/Wrapper.pm')

diff --git a/IkiWiki/Wrapper.pm b/IkiWiki/Wrapper.pm
index ffbaf9908..4c99cdaa0 100644
--- a/IkiWiki/Wrapper.pm
+++ b/IkiWiki/Wrapper.pm
@@ -63,7 +63,8 @@ EOF
 	if (ref $config{ENV} eq 'HASH') {
 		foreach my $key (keys %{$config{ENV}}) {
 			my $val=$config{ENV}{$key};
-			$val =~ s/([\\"])/\\$1/g;
+			utf8::encode($val) if utf8::is_utf8($val);
+			$val =~ s/([^A-Za-z0-9])/sprintf '""\\x%02x""', ord($1)/ge;
 			$envsize += 1;
 			$envsave.=<<"EOF";
 	addenv("$key", "$val");
-- 
cgit v1.2.3