diff options
author | Michael Koziarski <michael@koziarski.com> | 2013-09-23 10:17:58 +1200 |
---|---|---|
committer | Aaron Patterson <aaron.patterson@gmail.com> | 2013-09-30 14:42:11 -0700 |
commit | 5aee516b5edb49d7206cd9815c13a78b6b16c5d9 (patch) | |
tree | 7a80c938567d2d4c456208bc484026d9c3b709a3 /activesupport/lib/active_support | |
parent | 54c05acdba138f3a7a3d44dfc922b0fe4e4cf554 (diff) | |
download | rails-5aee516b5edb49d7206cd9815c13a78b6b16c5d9.tar.gz rails-5aee516b5edb49d7206cd9815c13a78b6b16c5d9.tar.bz2 rails-5aee516b5edb49d7206cd9815c13a78b6b16c5d9.zip |
Remove the use of String#% when formatting durations in log messages
This avoids potential format string vulnerabilities where user-provided
data is interpolated into the log message before String#% is called.
Diffstat (limited to 'activesupport/lib/active_support')
-rw-r--r-- | activesupport/lib/active_support/log_subscriber.rb | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/activesupport/lib/active_support/log_subscriber.rb b/activesupport/lib/active_support/log_subscriber.rb index 6296c1d4b8..ed7c73b6af 100644 --- a/activesupport/lib/active_support/log_subscriber.rb +++ b/activesupport/lib/active_support/log_subscriber.rb @@ -118,5 +118,9 @@ module ActiveSupport bold = bold ? BOLD : "" "#{bold}#{color}#{text}#{CLEAR}" end + + def format_duration(duration) + "%.1fms" % duration + end end end |