Remove the use of String#% when formatting durations in log messages

This avoids potential format string vulnerabilities where user-provided
data is interpolated into the log message before String#% is called.

1 files changed, 3 insertions, 3 deletions

diff --git a/actionmailer/lib/action_mailer/log_subscriber.rb b/actionmailer/lib/action_mailer/log_subscriber.rb
index 7ba57b19e0..4f4e21e0eb 100644
--- a/actionmailer/lib/action_mailer/log_subscriber.rb
+++ b/actionmailer/lib/action_mailer/log_subscriber.rb
@@ -4,12 +4,12 @@ module ActionMailer
   class LogSubscriber < ActiveSupport::LogSubscriber
     def deliver(event)
       recipients = Array.wrap(event.payload[:to]).join(', ')
-      info("\nSent mail to #{recipients} (%1.fms)" % event.duration)
+      info("\nSent mail to #{recipients} (#{format_duration(event.duration)})")
       debug(event.payload[:mail])
     end
 
     def receive(event)
-      info("\nReceived mail (%.1fms)" % event.duration)
+      info("\nReceived mail (#{format_duration(event.duration)})")
       debug(event.payload[:mail])
     end
 
@@ -19,4 +19,4 @@ module ActionMailer
   end
 end
 
-ActionMailer::LogSubscriber.attach_to :action_mailer
\ No newline at end of file
+ActionMailer::LogSubscriber.attach_to :action_mailer