From 5aee516b5edb49d7206cd9815c13a78b6b16c5d9 Mon Sep 17 00:00:00 2001
From: Michael Koziarski <michael@koziarski.com>
Date: Mon, 23 Sep 2013 10:17:58 +1200
Subject: Remove the use of String#% when formatting durations in log messages

This avoids potential format string vulnerabilities where user-provided
data is interpolated into the log message before String#% is called.
---
 activesupport/lib/active_support/log_subscriber.rb | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'activesupport/lib/active_support/log_subscriber.rb')

diff --git a/activesupport/lib/active_support/log_subscriber.rb b/activesupport/lib/active_support/log_subscriber.rb
index 6296c1d4b8..ed7c73b6af 100644
--- a/activesupport/lib/active_support/log_subscriber.rb
+++ b/activesupport/lib/active_support/log_subscriber.rb
@@ -118,5 +118,9 @@ module ActiveSupport
       bold  = bold ? BOLD : ""
       "#{bold}#{color}#{text}#{CLEAR}"
     end
+
+    def format_duration(duration)
+      "%.1fms" % duration
+    end
   end
 end
-- 
cgit v1.2.3