From 10f13b886b8a76889f5442f7347159d3677324d0 Mon Sep 17 00:00:00 2001
From: Eric Wong <bofh@yhbt.net>
Date: Thu, 16 Jun 2022 15:54:13 +0000
Subject: escape env['REQUEST_METHOD'] for non-strict HTTP servers

This doesn't affect most Rack HTTP servers since they have
strict parsers, but is safer in case one doesn't...

Influenced by CVE-2022-30123.
---
 lib/clogger/pure.rb | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

(limited to 'lib')

diff --git a/lib/clogger/pure.rb b/lib/clogger/pure.rb
index 8f1f706..7f82992 100644
--- a/lib/clogger/pure.rb
+++ b/lib/clogger/pure.rb
@@ -118,8 +118,7 @@ private
       version = env['HTTP_VERSION'] and version = " #{byte_xs(version)}"
       qs = env['QUERY_STRING']
       qs.empty? or qs = "?#{byte_xs(qs)}"
-      "#{env['REQUEST_METHOD']} " \
-        "#{request_uri(env)}#{version}"
+      "#{byte_xs(env['REQUEST_METHOD'] || '')} #{request_uri(env)}#{version}"
     when :request_uri
       request_uri(env)
     when :request_length
-- 
cgit v1.2.3-24-ge0c7