From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: X-Spam-Status: No, score=-4.1 required=3.0 tests=ALL_TRUSTED,AWL,BAYES_00, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, T_SCC_BODY_TEXT_LINE shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from localhost (dcvr.yhbt.net [127.0.0.1]) by dcvr.yhbt.net (Postfix) with ESMTP id C7D831F4D7 for ; Thu, 16 Jun 2022 16:13:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=yhbt.net; s=selector1; t=1655396031; bh=HHQh0Bw1dKPgQVZ5RwR9yYwuV8ntpzZHoZTKbQVQZcU=; h=From:To:Subject:Date:From; b=Bsafa74HuSBBN3Rvg3OeRYQH/szVd+f3A6KXaEH2cfCjoqE+rWiscILRKzvmDyYpf spUdn9iCKjZqYcEEbvsvdmwYCz8bbbAGfIWtNgWBOkY27ZdKEtA+/kDxsiurZ/D7JB 9SOBQS2cbdtmDqVcfmDmUejZBSf6q8VY/NOnAXAE= From: Eric Wong To: clogger-public@yhbt.net Subject: [PATCH] escape env['REQUEST_METHOD'] for non-strict HTTP servers Date: Thu, 16 Jun 2022 16:13:51 +0000 Message-Id: <20220616161351.29591-1-bofh@yhbt.net> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit List-Id: This doesn't affect most Rack HTTP servers since they have strict parsers, but is safer in case one doesn't... Influenced by CVE-2022-30123. --- ext/clogger_ext/clogger.c | 5 +++-- lib/clogger/pure.rb | 3 +-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/ext/clogger_ext/clogger.c b/ext/clogger_ext/clogger.c index 079817c..2ec9510 100644 --- a/ext/clogger_ext/clogger.c +++ b/ext/clogger_ext/clogger.c @@ -447,10 +447,11 @@ static void append_request(struct clogger *c) { VALUE tmp; - /* REQUEST_METHOD doesn't need escaping, Rack::Lint governs it */ tmp = rb_hash_aref(c->env, g_REQUEST_METHOD); - if (!NIL_P(tmp)) + if (!NIL_P(tmp)) { + tmp = byte_xs(tmp); rb_str_buf_append(c->log_buf, tmp); + } rb_str_buf_append(c->log_buf, g_space); diff --git a/lib/clogger/pure.rb b/lib/clogger/pure.rb index 8f1f706..7f82992 100644 --- a/lib/clogger/pure.rb +++ b/lib/clogger/pure.rb @@ -118,8 +118,7 @@ private version = env['HTTP_VERSION'] and version = " #{byte_xs(version)}" qs = env['QUERY_STRING'] qs.empty? or qs = "?#{byte_xs(qs)}" - "#{env['REQUEST_METHOD']} " \ - "#{request_uri(env)}#{version}" + "#{byte_xs(env['REQUEST_METHOD'] || '')} #{request_uri(env)}#{version}" when :request_uri request_uri(env) when :request_length