escape env['REQUEST_METHOD'] for non-strict HTTP servers

This doesn't affect most Rack HTTP servers since they have strict parsers, but is safer in case one doesn't... Influenced by CVE-2022-30123.
author: Eric Wong <bofh@yhbt.net> 2022-06-16 15:54:13 +0000
committer: Eric Wong <bofh@yhbt.net> 2022-06-16 16:09:56 +0000
commit: 10f13b886b8a76889f5442f7347159d3677324d0 (patch)
tree: 5d5ef3fe9bc2384916ef8513233ed75495f61cb8 /lib
parent: 4ee4e61d9bbbae0883bf51888239ffabd045d8d5 (diff)
download: clogger-10f13b886b8a76889f5442f7347159d3677324d0.tar.gz
1 files changed, 1 insertions, 2 deletions
diff --git a/lib/clogger/pure.rb b/lib/clogger/pure.rb
index 8f1f706..7f82992 100644
--- a/lib/clogger/pure.rb
+++ b/lib/clogger/pure.rb
@@ -118,8 +118,7 @@ private
        version = env['HTTP_VERSION'] and version = " #{byte_xs(version)}"
        qs = env['QUERY_STRING']
        qs.empty? or qs = "?#{byte_xs(qs)}"
-      "#{env['REQUEST_METHOD']} " \
-        "#{request_uri(env)}#{version}"
+      "#{byte_xs(env['REQUEST_METHOD'] || '')} #{request_uri(env)}#{version}"
      when :request_uri
        request_uri(env)
      when :request_length
author	Eric Wong <bofh@yhbt.net>	2022-06-16 15:54:13 +0000
committer	Eric Wong <bofh@yhbt.net>	2022-06-16 16:09:56 +0000
commit	10f13b886b8a76889f5442f7347159d3677324d0 (patch)
tree	5d5ef3fe9bc2384916ef8513233ed75495f61cb8 /lib
parent	4ee4e61d9bbbae0883bf51888239ffabd045d8d5 (diff)
download	clogger-10f13b886b8a76889f5442f7347159d3677324d0.tar.gz