Remove the use of String#% when formatting durations in log messages

This avoids potential format string vulnerabilities where user-provided data is interpolated into the log message before String#% is called.
author: Michael Koziarski <michael@koziarski.com> 2013-09-23 10:17:58 +1200
committer: Aaron Patterson <aaron.patterson@gmail.com> 2013-09-30 14:42:11 -0700
commit: 5aee516b5edb49d7206cd9815c13a78b6b16c5d9 (patch)
tree: 7a80c938567d2d4c456208bc484026d9c3b709a3 /activesupport
parent: 54c05acdba138f3a7a3d44dfc922b0fe4e4cf554 (diff)
download: rails-5aee516b5edb49d7206cd9815c13a78b6b16c5d9.tar.gz
rails-5aee516b5edb49d7206cd9815c13a78b6b16c5d9.tar.bz2
rails-5aee516b5edb49d7206cd9815c13a78b6b16c5d9.zip
1 files changed, 4 insertions, 0 deletions
diff --git a/activesupport/lib/active_support/log_subscriber.rb b/activesupport/lib/active_support/log_subscriber.rb
index 6296c1d4b8..ed7c73b6af 100644
--- a/activesupport/lib/active_support/log_subscriber.rb
+++ b/activesupport/lib/active_support/log_subscriber.rb
@@ -118,5 +118,9 @@ module ActiveSupport
       bold  = bold ? BOLD : ""
       "#{bold}#{color}#{text}#{CLEAR}"
     end
+
+    def format_duration(duration)
+      "%.1fms" % duration
+    end
   end
 end
author	Michael Koziarski <michael@koziarski.com>	2013-09-23 10:17:58 +1200
committer	Aaron Patterson <aaron.patterson@gmail.com>	2013-09-30 14:42:11 -0700
commit	5aee516b5edb49d7206cd9815c13a78b6b16c5d9 (patch)
tree	7a80c938567d2d4c456208bc484026d9c3b709a3 /activesupport
parent	54c05acdba138f3a7a3d44dfc922b0fe4e4cf554 (diff)
download	rails-5aee516b5edb49d7206cd9815c13a78b6b16c5d9.tar.gz rails-5aee516b5edb49d7206cd9815c13a78b6b16c5d9.tar.bz2 rails-5aee516b5edb49d7206cd9815c13a78b6b16c5d9.zip