From 5aee516b5edb49d7206cd9815c13a78b6b16c5d9 Mon Sep 17 00:00:00 2001
From: Michael Koziarski <michael@koziarski.com>
Date: Mon, 23 Sep 2013 10:17:58 +1200
Subject: Remove the use of String#% when formatting durations in log messages

This avoids potential format string vulnerabilities where user-provided
data is interpolated into the log message before String#% is called.
---
 actionmailer/lib/action_mailer/log_subscriber.rb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'actionmailer/lib')

diff --git a/actionmailer/lib/action_mailer/log_subscriber.rb b/actionmailer/lib/action_mailer/log_subscriber.rb
index 7ba57b19e0..4f4e21e0eb 100644
--- a/actionmailer/lib/action_mailer/log_subscriber.rb
+++ b/actionmailer/lib/action_mailer/log_subscriber.rb
@@ -4,12 +4,12 @@ module ActionMailer
   class LogSubscriber < ActiveSupport::LogSubscriber
     def deliver(event)
       recipients = Array.wrap(event.payload[:to]).join(', ')
-      info("\nSent mail to #{recipients} (%1.fms)" % event.duration)
+      info("\nSent mail to #{recipients} (#{format_duration(event.duration)})")
       debug(event.payload[:mail])
     end
 
     def receive(event)
-      info("\nReceived mail (%.1fms)" % event.duration)
+      info("\nReceived mail (#{format_duration(event.duration)})")
       debug(event.payload[:mail])
     end
 
@@ -19,4 +19,4 @@ module ActionMailer
   end
 end
 
-ActionMailer::LogSubscriber.attach_to :action_mailer
\ No newline at end of file
+ActionMailer::LogSubscriber.attach_to :action_mailer
-- 
cgit v1.2.3