escape env['REQUEST_METHOD'] for non-strict HTTP servers

This doesn't affect most Rack HTTP servers since they have strict parsers, but is safer in case one doesn't... Influenced by CVE-2022-30123.
author: Eric Wong <bofh@yhbt.net> 2022-06-16 15:54:13 +0000
committer: Eric Wong <bofh@yhbt.net> 2022-06-16 16:09:56 +0000
commit: 10f13b886b8a76889f5442f7347159d3677324d0 (patch)
tree: 5d5ef3fe9bc2384916ef8513233ed75495f61cb8 /ext/clogger_ext/clogger.c
parent: 4ee4e61d9bbbae0883bf51888239ffabd045d8d5 (diff)
download: clogger-10f13b886b8a76889f5442f7347159d3677324d0.tar.gz
1 files changed, 3 insertions, 2 deletions
diff --git a/ext/clogger_ext/clogger.c b/ext/clogger_ext/clogger.c
index 079817c..2ec9510 100644
--- a/ext/clogger_ext/clogger.c
+++ b/ext/clogger_ext/clogger.c
@@ -447,10 +447,11 @@ static void append_request(struct clogger *c)
  {
          VALUE tmp;
  
-        /* REQUEST_METHOD doesn't need escaping, Rack::Lint governs it */
          tmp = rb_hash_aref(c->env, g_REQUEST_METHOD);
-        if (!NIL_P(tmp))
+        if (!NIL_P(tmp)) {
+                tmp = byte_xs(tmp);
                  rb_str_buf_append(c->log_buf, tmp);
+        }
  
          rb_str_buf_append(c->log_buf, g_space);
author	Eric Wong <bofh@yhbt.net>	2022-06-16 15:54:13 +0000
committer	Eric Wong <bofh@yhbt.net>	2022-06-16 16:09:56 +0000
commit	10f13b886b8a76889f5442f7347159d3677324d0 (patch)
tree	5d5ef3fe9bc2384916ef8513233ed75495f61cb8 /ext/clogger_ext/clogger.c
parent	4ee4e61d9bbbae0883bf51888239ffabd045d8d5 (diff)
download	clogger-10f13b886b8a76889f5442f7347159d3677324d0.tar.gz