From e43fede756b1728e47462fe89bdf35c99c21778c Mon Sep 17 00:00:00 2001
From: Kaan Kivilcim <contact@kaankivilcim.com>
Date: Mon, 25 Aug 2014 15:31:28 +1000
Subject: Escape CGI environment variables in HTTP 404 responses

---
 paste/urlmap.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'paste')

diff --git a/paste/urlmap.py b/paste/urlmap.py
index 59b0336..f721f2d 100644
--- a/paste/urlmap.py
+++ b/paste/urlmap.py
@@ -114,9 +114,9 @@ class URLMap(DictMixin):
                 ',\n  '.join(map(repr, matches)))
         else:
             extra = ''
-        extra += '\nSCRIPT_NAME: %r' % environ.get('SCRIPT_NAME')
-        extra += '\nPATH_INFO: %r' % environ.get('PATH_INFO')
-        extra += '\nHTTP_HOST: %r' % environ.get('HTTP_HOST')
+        extra += '\nSCRIPT_NAME: %r' % cgi.escape(environ.get('SCRIPT_NAME'))
+        extra += '\nPATH_INFO: %r' % cgi.escape(environ.get('PATH_INFO'))
+        extra += '\nHTTP_HOST: %r' % cgi.escape(environ.get('HTTP_HOST'))
         app = httpexceptions.HTTPNotFound(
             environ['PATH_INFO'],
             comment=cgi.escape(extra)).wsgi_application
-- 
cgit v1.2.1