escape env['REQUEST_METHOD'] for non-strict HTTP servers

This doesn't affect most Rack HTTP servers since they have
strict parsers, but is safer in case one doesn't...

Influenced by CVE-2022-30123.

2 files changed, 4 insertions, 4 deletions

diff --git a/ext/clogger_ext/clogger.c b/ext/clogger_ext/clogger.c
index 079817c..2ec9510 100644
--- a/ext/clogger_ext/clogger.c
+++ b/ext/clogger_ext/clogger.c
@@ -447,10 +447,11 @@ static void append_request(struct clogger *c)
 {
         VALUE tmp;
 
-        /* REQUEST_METHOD doesn't need escaping, Rack::Lint governs it */
         tmp = rb_hash_aref(c->env, g_REQUEST_METHOD);
-        if (!NIL_P(tmp))
+        if (!NIL_P(tmp)) {
+                tmp = byte_xs(tmp);
                 rb_str_buf_append(c->log_buf, tmp);
+        }
 
         rb_str_buf_append(c->log_buf, g_space);
 
diff --git a/lib/clogger/pure.rb b/lib/clogger/pure.rb
index 8f1f706..7f82992 100644
--- a/lib/clogger/pure.rb
+++ b/lib/clogger/pure.rb
@@ -118,8 +118,7 @@ private
       version = env['HTTP_VERSION'] and version = " #{byte_xs(version)}"
       qs = env['QUERY_STRING']
       qs.empty? or qs = "?#{byte_xs(qs)}"
-      "#{env['REQUEST_METHOD']} " \
-        "#{request_uri(env)}#{version}"
+      "#{byte_xs(env['REQUEST_METHOD'] || '')} #{request_uri(env)}#{version}"
     when :request_uri
       request_uri(env)
     when :request_length