diff options
| author | Michael Koziarski <michael@koziarski.com> | 2013-09-23 10:17:58 +1200 |
|---|---|---|
| committer | Aaron Patterson <aaron.patterson@gmail.com> | 2013-09-30 14:42:11 -0700 |
| commit | 5aee516b5edb49d7206cd9815c13a78b6b16c5d9 (patch) | |
| tree | 7a80c938567d2d4c456208bc484026d9c3b709a3 /actionpack/lib/action_controller | |
| parent | 54c05acdba138f3a7a3d44dfc922b0fe4e4cf554 (diff) | |
| download | rails-5aee516b5edb49d7206cd9815c13a78b6b16c5d9.tar.gz rails-5aee516b5edb49d7206cd9815c13a78b6b16c5d9.tar.bz2 rails-5aee516b5edb49d7206cd9815c13a78b6b16c5d9.zip | |
Remove the use of String#% when formatting durations in log messages
This avoids potential format string vulnerabilities where user-provided
data is interpolated into the log message before String#% is called.
Diffstat (limited to 'actionpack/lib/action_controller')
| -rw-r--r-- | actionpack/lib/action_controller/log_subscriber.rb | 11 |
1 files changed, 5 insertions, 6 deletions
diff --git a/actionpack/lib/action_controller/log_subscriber.rb b/actionpack/lib/action_controller/log_subscriber.rb index 194f26aefc..f2545ef2cd 100644 --- a/actionpack/lib/action_controller/log_subscriber.rb +++ b/actionpack/lib/action_controller/log_subscriber.rb @@ -23,7 +23,7 @@ module ActionController exception_class_name = payload[:exception].first status = ActionDispatch::ExceptionWrapper.status_code_for_exception(exception_class_name) end - message = "Completed #{status} #{Rack::Utils::HTTP_STATUS_CODES[status]} in %.0fms" % event.duration + message = "Completed #{status} #{Rack::Utils::HTTP_STATUS_CODES[status]} in #{format_duration(event.duration)}" message << " (#{additions.join(" | ")})" unless additions.blank? info(message) @@ -34,9 +34,7 @@ module ActionController end def send_file(event) - message = "Sent file %s" - message << " (%.1fms)" - info(message % [event.payload[:path], event.duration]) + info("Sent file #{event.payload[:path]} (#{format_duration(event.duration)})") end def redirect_to(event) @@ -44,7 +42,7 @@ module ActionController end def send_data(event) - info("Sent data %s (%.1fms)" % [event.payload[:filename], event.duration]) + info("Sent data #{event.payload[:filename]} (#{format_duration(event.duration)})") end %w(write_fragment read_fragment exist_fragment? @@ -53,7 +51,8 @@ module ActionController def #{method}(event) key_or_path = event.payload[:key] || event.payload[:path] human_name = #{method.to_s.humanize.inspect} - info("\#{human_name} \#{key_or_path} \#{"(%.1fms)" % event.duration}") + duration = format_duration(event.duration) + info("\#{human_name} \#{key_or_path} \#{duration}") end METHOD end |