diff options
author | Eric Wong <bofh@yhbt.net> | 2022-06-16 15:54:13 +0000 |
---|---|---|
committer | Eric Wong <bofh@yhbt.net> | 2022-06-16 16:09:56 +0000 |
commit | 10f13b886b8a76889f5442f7347159d3677324d0 (patch) | |
tree | 5d5ef3fe9bc2384916ef8513233ed75495f61cb8 /ext/clogger_ext/clogger.c | |
parent | 4ee4e61d9bbbae0883bf51888239ffabd045d8d5 (diff) | |
download | clogger-10f13b886b8a76889f5442f7347159d3677324d0.tar.gz |
This doesn't affect most Rack HTTP servers since they have strict parsers, but is safer in case one doesn't... Influenced by CVE-2022-30123.
Diffstat (limited to 'ext/clogger_ext/clogger.c')
-rw-r--r-- | ext/clogger_ext/clogger.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/ext/clogger_ext/clogger.c b/ext/clogger_ext/clogger.c index 079817c..2ec9510 100644 --- a/ext/clogger_ext/clogger.c +++ b/ext/clogger_ext/clogger.c @@ -447,10 +447,11 @@ static void append_request(struct clogger *c) { VALUE tmp; - /* REQUEST_METHOD doesn't need escaping, Rack::Lint governs it */ tmp = rb_hash_aref(c->env, g_REQUEST_METHOD); - if (!NIL_P(tmp)) + if (!NIL_P(tmp)) { + tmp = byte_xs(tmp); rb_str_buf_append(c->log_buf, tmp); + } rb_str_buf_append(c->log_buf, g_space); |