From 10f13b886b8a76889f5442f7347159d3677324d0 Mon Sep 17 00:00:00 2001 From: Eric Wong Date: Thu, 16 Jun 2022 15:54:13 +0000 Subject: escape env['REQUEST_METHOD'] for non-strict HTTP servers This doesn't affect most Rack HTTP servers since they have strict parsers, but is safer in case one doesn't... Influenced by CVE-2022-30123. --- ext/clogger_ext/clogger.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'ext/clogger_ext/clogger.c') diff --git a/ext/clogger_ext/clogger.c b/ext/clogger_ext/clogger.c index 079817c..2ec9510 100644 --- a/ext/clogger_ext/clogger.c +++ b/ext/clogger_ext/clogger.c @@ -447,10 +447,11 @@ static void append_request(struct clogger *c) { VALUE tmp; - /* REQUEST_METHOD doesn't need escaping, Rack::Lint governs it */ tmp = rb_hash_aref(c->env, g_REQUEST_METHOD); - if (!NIL_P(tmp)) + if (!NIL_P(tmp)) { + tmp = byte_xs(tmp); rb_str_buf_append(c->log_buf, tmp); + } rb_str_buf_append(c->log_buf, g_space); -- cgit v1.2.3-24-ge0c7