From ce2c07d1628b0904faeaea5ffdf8917ea79ec321 Mon Sep 17 00:00:00 2001 From: Michael Koziarski Date: Mon, 23 Sep 2013 10:17:58 +1200 Subject: [PATCH] Remove the use of String#% when formatting durations in log messages This avoids potential format string vulnerabilities where user-provided data is interpolated into the log message before String#% is called. Conflicts: actionpack/lib/action_controller/log_subscriber.rb --- actionmailer/lib/action_mailer/log_subscriber.rb | 6 +++--- actionpack/lib/action_controller/log_subscriber.rb | 13 ++++++------- activesupport/lib/active_support/log_subscriber.rb | 4 ++++ 3 files changed, 13 insertions(+), 10 deletions(-) diff --git a/actionmailer/lib/action_mailer/log_subscriber.rb b/actionmailer/lib/action_mailer/log_subscriber.rb index 7ba57b1..4f4e21e 100644 --- a/actionmailer/lib/action_mailer/log_subscriber.rb +++ b/actionmailer/lib/action_mailer/log_subscriber.rb @@ -4,12 +4,12 @@ module ActionMailer class LogSubscriber < ActiveSupport::LogSubscriber def deliver(event) recipients = Array.wrap(event.payload[:to]).join(', ') - info("\nSent mail to #{recipients} (%1.fms)" % event.duration) + info("\nSent mail to #{recipients} (#{format_duration(event.duration)})") debug(event.payload[:mail]) end def receive(event) - info("\nReceived mail (%.1fms)" % event.duration) + info("\nReceived mail (#{format_duration(event.duration)})") debug(event.payload[:mail]) end @@ -19,4 +19,4 @@ module ActionMailer end end -ActionMailer::LogSubscriber.attach_to :action_mailer \ No newline at end of file +ActionMailer::LogSubscriber.attach_to :action_mailer diff --git a/actionpack/lib/action_controller/log_subscriber.rb b/actionpack/lib/action_controller/log_subscriber.rb index 8d813a8..57ce27c 100644 --- a/actionpack/lib/action_controller/log_subscriber.rb +++ b/actionpack/lib/action_controller/log_subscriber.rb @@ -22,16 +22,14 @@ module ActionController if status.nil? && payload[:exception].present? status = Rack::Utils.status_code(ActionDispatch::ShowExceptions.rescue_responses[payload[:exception].first]) rescue nil end - message = "Completed #{status} #{Rack::Utils::HTTP_STATUS_CODES[status]} in %.0fms" % event.duration + message = "Completed #{status} #{Rack::Utils::HTTP_STATUS_CODES[status]} in #{format_duration(event.duration)}" message << " (#{additions.join(" | ")})" unless additions.blank? info(message) end def send_file(event) - message = "Sent file %s" - message << " (%.1fms)" - info(message % [event.payload[:path], event.duration]) + info("Sent file #{event.payload[:path]} (#{format_duration(event.duration)})") end def redirect_to(event) @@ -39,7 +37,7 @@ module ActionController end def send_data(event) - info("Sent data %s (%.1fms)" % [event.payload[:filename], event.duration]) + info("Sent data #{event.payload[:filename]} (#{format_duration(event.duration)})") end %w(write_fragment read_fragment exist_fragment? @@ -48,7 +46,8 @@ module ActionController def #{method}(event) key_or_path = event.payload[:key] || event.payload[:path] human_name = #{method.to_s.humanize.inspect} - info("\#{human_name} \#{key_or_path} \#{"(%.1fms)" % event.duration}") + duration = format_duration(event.duration) + info("\#{human_name} \#{key_or_path} \#{duration}") end METHOD end @@ -59,4 +58,4 @@ module ActionController end end -ActionController::LogSubscriber.attach_to :action_controller \ No newline at end of file +ActionController::LogSubscriber.attach_to :action_controller diff --git a/activesupport/lib/active_support/log_subscriber.rb b/activesupport/lib/active_support/log_subscriber.rb index 6296c1d..ed7c73b 100644 --- a/activesupport/lib/active_support/log_subscriber.rb +++ b/activesupport/lib/active_support/log_subscriber.rb @@ -118,5 +118,9 @@ module ActiveSupport bold = bold ? BOLD : "" "#{bold}#{color}#{text}#{CLEAR}" end + + def format_duration(duration) + "%.1fms" % duration + end end end -- 1.8.3.2