From 1c891e6deff2ba735b58b46879cce86189d07a75 Mon Sep 17 00:00:00 2001 From: June Kim Date: Mon, 11 May 2026 21:49:31 -0700 Subject: [PATCH] Fix Lint: allow lowercase and special chars in REQUEST_METHOD Middleware::Lint was incorrectly rejecting valid HTTP method tokens that contained lowercase letters or special characters. RFC 7231 section 4.1 defines method tokens as case-sensitive sequences of tchar (RFC 7230 section 3.2.6), which includes A-Z, a-z, 0-9, and !#$%&'*+-.^_`|~. This fix updates the REQUEST_METHOD validation regex to accept all valid tchar sequences, allowing methods like "get", "GeT", and "my-custom-method". Fixes #588 --- lib/Plack/Middleware/Lint.pm | 2 +- t/Plack-Middleware/lint_env.t | 6 +++++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/lib/Plack/Middleware/Lint.pm b/lib/Plack/Middleware/Lint.pm index 76e9a3a19..b69827ca3 100644 --- a/lib/Plack/Middleware/Lint.pm +++ b/lib/Plack/Middleware/Lint.pm @@ -30,7 +30,7 @@ sub validate_env { unless ($env->{REQUEST_METHOD}) { die('Missing env param: REQUEST_METHOD'); } - unless ($env->{REQUEST_METHOD} =~ /^[A-Z]+$/) { + unless ($env->{REQUEST_METHOD} =~ /^[A-Za-z0-9!#\$%&'*+\-.^_`|~]+$/) { die("Invalid env param: REQUEST_METHOD($env->{REQUEST_METHOD})"); } unless (defined($env->{SCRIPT_NAME})) { # allows empty string diff --git a/t/Plack-Middleware/lint_env.t b/t/Plack-Middleware/lint_env.t index 5806378ff..b83cf2d79 100644 --- a/t/Plack-Middleware/lint_env.t +++ b/t/Plack-Middleware/lint_env.t @@ -13,11 +13,15 @@ $app = Plack::Middleware::Lint->wrap($app); my @good_env = ( { PATH_INFO => '' }, + { REQUEST_METHOD => 'get' }, + { REQUEST_METHOD => 'GeT' }, + { REQUEST_METHOD => 'my-custom-method' }, ); my @bad_env = ( [ { REQUEST_METHOD => undef }, qr/Missing env param: REQUEST_METHOD/ ], - [ { REQUEST_METHOD => "foo" },, qr/Invalid env param: REQUEST_METHOD/ ], + [ { REQUEST_METHOD => "foo bar" }, qr/Invalid env param: REQUEST_METHOD/ ], + [ { REQUEST_METHOD => "" }, qr/Missing env param: REQUEST_METHOD/ ], [ { PATH_INFO => 'foo' }, qr/PATH_INFO must begin with \// ], [ { SERVER_PORT => undef }, qr/Missing mandatory .*SERVER_PORT/ ], [ { SERVER_PROTOCOL => 'HTTP/x' }, qr/Invalid SERVER_PROTOCOL/ ],