From 5aee516b5edb49d7206cd9815c13a78b6b16c5d9 Mon Sep 17 00:00:00 2001 From: Michael Koziarski Date: Mon, 23 Sep 2013 10:17:58 +1200 Subject: Remove the use of String#% when formatting durations in log messages This avoids potential format string vulnerabilities where user-provided data is interpolated into the log message before String#% is called. --- actionpack/lib/action_controller/log_subscriber.rb | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) (limited to 'actionpack') diff --git a/actionpack/lib/action_controller/log_subscriber.rb b/actionpack/lib/action_controller/log_subscriber.rb index 194f26aefc..f2545ef2cd 100644 --- a/actionpack/lib/action_controller/log_subscriber.rb +++ b/actionpack/lib/action_controller/log_subscriber.rb @@ -23,7 +23,7 @@ module ActionController exception_class_name = payload[:exception].first status = ActionDispatch::ExceptionWrapper.status_code_for_exception(exception_class_name) end - message = "Completed #{status} #{Rack::Utils::HTTP_STATUS_CODES[status]} in %.0fms" % event.duration + message = "Completed #{status} #{Rack::Utils::HTTP_STATUS_CODES[status]} in #{format_duration(event.duration)}" message << " (#{additions.join(" | ")})" unless additions.blank? info(message) @@ -34,9 +34,7 @@ module ActionController end def send_file(event) - message = "Sent file %s" - message << " (%.1fms)" - info(message % [event.payload[:path], event.duration]) + info("Sent file #{event.payload[:path]} (#{format_duration(event.duration)})") end def redirect_to(event) @@ -44,7 +42,7 @@ module ActionController end def send_data(event) - info("Sent data %s (%.1fms)" % [event.payload[:filename], event.duration]) + info("Sent data #{event.payload[:filename]} (#{format_duration(event.duration)})") end %w(write_fragment read_fragment exist_fragment? @@ -53,7 +51,8 @@ module ActionController def #{method}(event) key_or_path = event.payload[:key] || event.payload[:path] human_name = #{method.to_s.humanize.inspect} - info("\#{human_name} \#{key_or_path} \#{"(%.1fms)" % event.duration}") + duration = format_duration(event.duration) + info("\#{human_name} \#{key_or_path} \#{duration}") end METHOD end -- cgit v1.2.3 From 5e277c82085f6258b6aa4a19a90c6ea46686af84 Mon Sep 17 00:00:00 2001 From: Aaron Patterson Date: Thu, 3 Oct 2013 11:52:44 -0700 Subject: bumping version to 3.2.15.rc1 --- actionpack/lib/action_pack/version.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'actionpack') diff --git a/actionpack/lib/action_pack/version.rb b/actionpack/lib/action_pack/version.rb index 993c5d7d2a..0029c701c7 100644 --- a/actionpack/lib/action_pack/version.rb +++ b/actionpack/lib/action_pack/version.rb @@ -2,8 +2,8 @@ module ActionPack module VERSION #:nodoc: MAJOR = 3 MINOR = 2 - TINY = 14 - PRE = nil + TINY = 15 + PRE = "rc1" STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') end -- cgit v1.2.3 From 5ede19b7725b9f83a2231554b6d583117fbbb4c4 Mon Sep 17 00:00:00 2001 From: Aaron Patterson Date: Fri, 4 Oct 2013 13:46:35 -0700 Subject: bumping to rc2 --- actionpack/lib/action_pack/version.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'actionpack') diff --git a/actionpack/lib/action_pack/version.rb b/actionpack/lib/action_pack/version.rb index 0029c701c7..12dd53e39d 100644 --- a/actionpack/lib/action_pack/version.rb +++ b/actionpack/lib/action_pack/version.rb @@ -3,7 +3,7 @@ module ActionPack MAJOR = 3 MINOR = 2 TINY = 15 - PRE = "rc1" + PRE = "rc2" STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') end -- cgit v1.2.3 From e3abd78ee58ee8564a69c989e963ae480b8acf9f Mon Sep 17 00:00:00 2001 From: Aaron Patterson Date: Fri, 11 Oct 2013 14:16:06 -0700 Subject: bumping to rc3 --- actionpack/lib/action_pack/version.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'actionpack') diff --git a/actionpack/lib/action_pack/version.rb b/actionpack/lib/action_pack/version.rb index 12dd53e39d..be1462b43e 100644 --- a/actionpack/lib/action_pack/version.rb +++ b/actionpack/lib/action_pack/version.rb @@ -3,7 +3,7 @@ module ActionPack MAJOR = 3 MINOR = 2 TINY = 15 - PRE = "rc2" + PRE = "rc3" STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') end -- cgit v1.2.3 From 2a0c4403fd905c3d2561c8ed69ed77dbd27c6bfa Mon Sep 17 00:00:00 2001 From: Aaron Patterson Date: Tue, 15 Oct 2013 11:48:53 -0700 Subject: bumping to 3.2.15 --- actionpack/lib/action_pack/version.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'actionpack') diff --git a/actionpack/lib/action_pack/version.rb b/actionpack/lib/action_pack/version.rb index be1462b43e..dda9fd66d2 100644 --- a/actionpack/lib/action_pack/version.rb +++ b/actionpack/lib/action_pack/version.rb @@ -3,7 +3,7 @@ module ActionPack MAJOR = 3 MINOR = 2 TINY = 15 - PRE = "rc3" + PRE = nil STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') end -- cgit v1.2.3 From 538f8ba0c16bb6c57b5b79320fc1a99afd14b0e2 Mon Sep 17 00:00:00 2001 From: Aaron Patterson Date: Wed, 16 Oct 2013 10:01:01 -0700 Subject: updating changelogs --- actionpack/CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'actionpack') diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index 31136d91b3..ca2a14535c 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -1,4 +1,4 @@ -## unreleased ## +## Rails 3.2.15 (Oct 16, 2013) ## * Fix `ActionDispatch::RemoteIp::GetIp#calculate_ip` to only check for spoofing attacks if both `HTTP_CLIENT_IP` and `HTTP_X_FORWARDED_FOR` are set. -- cgit v1.2.3