From 10f13b886b8a76889f5442f7347159d3677324d0 Mon Sep 17 00:00:00 2001
From: Eric Wong <bofh@yhbt.net>
Date: Thu, 16 Jun 2022 15:54:13 +0000
Subject: escape env['REQUEST_METHOD'] for non-strict HTTP servers

This doesn't affect most Rack HTTP servers since they have
strict parsers, but is safer in case one doesn't...

Influenced by CVE-2022-30123.
---
 ext/clogger_ext/clogger.c | 5 +++--
 lib/clogger/pure.rb       | 3 +--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/ext/clogger_ext/clogger.c b/ext/clogger_ext/clogger.c
index 079817c..2ec9510 100644
--- a/ext/clogger_ext/clogger.c
+++ b/ext/clogger_ext/clogger.c
@@ -447,10 +447,11 @@ static void append_request(struct clogger *c)
 {
 	VALUE tmp;
 
-	/* REQUEST_METHOD doesn't need escaping, Rack::Lint governs it */
 	tmp = rb_hash_aref(c->env, g_REQUEST_METHOD);
-	if (!NIL_P(tmp))
+	if (!NIL_P(tmp)) {
+		tmp = byte_xs(tmp);
 		rb_str_buf_append(c->log_buf, tmp);
+	}
 
 	rb_str_buf_append(c->log_buf, g_space);
 
diff --git a/lib/clogger/pure.rb b/lib/clogger/pure.rb
index 8f1f706..7f82992 100644
--- a/lib/clogger/pure.rb
+++ b/lib/clogger/pure.rb
@@ -118,8 +118,7 @@ private
       version = env['HTTP_VERSION'] and version = " #{byte_xs(version)}"
       qs = env['QUERY_STRING']
       qs.empty? or qs = "?#{byte_xs(qs)}"
-      "#{env['REQUEST_METHOD']} " \
-        "#{request_uri(env)}#{version}"
+      "#{byte_xs(env['REQUEST_METHOD'] || '')} #{request_uri(env)}#{version}"
     when :request_uri
       request_uri(env)
     when :request_length
-- 
cgit v1.2.3-24-ge0c7