diff options
author | Eric Wong <bofh@yhbt.net> | 2022-06-16 15:54:13 +0000 |
---|---|---|
committer | Eric Wong <bofh@yhbt.net> | 2022-06-16 16:09:56 +0000 |
commit | 10f13b886b8a76889f5442f7347159d3677324d0 (patch) | |
tree | 5d5ef3fe9bc2384916ef8513233ed75495f61cb8 | |
parent | 4ee4e61d9bbbae0883bf51888239ffabd045d8d5 (diff) | |
download | clogger-10f13b886b8a76889f5442f7347159d3677324d0.tar.gz |
This doesn't affect most Rack HTTP servers since they have strict parsers, but is safer in case one doesn't... Influenced by CVE-2022-30123.
-rw-r--r-- | ext/clogger_ext/clogger.c | 5 | ||||
-rw-r--r-- | lib/clogger/pure.rb | 3 |
2 files changed, 4 insertions, 4 deletions
diff --git a/ext/clogger_ext/clogger.c b/ext/clogger_ext/clogger.c index 079817c..2ec9510 100644 --- a/ext/clogger_ext/clogger.c +++ b/ext/clogger_ext/clogger.c @@ -447,10 +447,11 @@ static void append_request(struct clogger *c) { VALUE tmp; - /* REQUEST_METHOD doesn't need escaping, Rack::Lint governs it */ tmp = rb_hash_aref(c->env, g_REQUEST_METHOD); - if (!NIL_P(tmp)) + if (!NIL_P(tmp)) { + tmp = byte_xs(tmp); rb_str_buf_append(c->log_buf, tmp); + } rb_str_buf_append(c->log_buf, g_space); diff --git a/lib/clogger/pure.rb b/lib/clogger/pure.rb index 8f1f706..7f82992 100644 --- a/lib/clogger/pure.rb +++ b/lib/clogger/pure.rb @@ -118,8 +118,7 @@ private version = env['HTTP_VERSION'] and version = " #{byte_xs(version)}" qs = env['QUERY_STRING'] qs.empty? or qs = "?#{byte_xs(qs)}" - "#{env['REQUEST_METHOD']} " \ - "#{request_uri(env)}#{version}" + "#{byte_xs(env['REQUEST_METHOD'] || '')} #{request_uri(env)}#{version}" when :request_uri request_uri(env) when :request_length |