Tree - rpms/rubygem-actionpack - src.fedoraproject.org

rpms / rubygem-actionpack

Overview Files Commits Branches Forks Releases
Monitoring status:

Bugzilla Assignee:

Fedora:: mmorsi
EPEL:: orphan
Files

Blob Blame History Raw
From 5aee516b5edb49d7206cd9815c13a78b6b16c5d9 Mon Sep 17 00:00:00 2001
From: Michael Koziarski <michael@koziarski.com>
Date: Mon, 23 Sep 2013 10:17:58 +1200
Subject: [PATCH] Remove the use of String#% when formatting durations in log
 messages

This avoids potential format string vulnerabilities where user-provided
data is interpolated into the log message before String#% is called.
---
 actionpack/lib/action_controller/log_subscriber.rb | 11 +++++------
 1 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/actionpack/lib/action_controller/log_subscriber.rb b/actionpack/lib/action_controller/log_subscriber.rb
index 194f26a..f2545ef 100644
--- a/actionpack/lib/action_controller/log_subscriber.rb
+++ b/actionpack/lib/action_controller/log_subscriber.rb
@@ -23,7 +23,7 @@ module ActionController
         exception_class_name = payload[:exception].first
         status = ActionDispatch::ExceptionWrapper.status_code_for_exception(exception_class_name)
       end
-      message = "Completed #{status} #{Rack::Utils::HTTP_STATUS_CODES[status]} in %.0fms" % event.duration
+      message = "Completed #{status} #{Rack::Utils::HTTP_STATUS_CODES[status]} in #{format_duration(event.duration)}"
       message << " (#{additions.join(" | ")})" unless additions.blank?
 
       info(message)
@@ -34,9 +34,7 @@ module ActionController
     end
 
     def send_file(event)
-      message = "Sent file %s"
-      message << " (%.1fms)"
-      info(message % [event.payload[:path], event.duration])
+      info("Sent file #{event.payload[:path]} (#{format_duration(event.duration)})")
     end
 
     def redirect_to(event)
@@ -44,7 +42,7 @@ module ActionController
     end
 
     def send_data(event)
-      info("Sent data %s (%.1fms)" % [event.payload[:filename], event.duration])
+      info("Sent data #{event.payload[:filename]}  (#{format_duration(event.duration)})")
     end
 
     %w(write_fragment read_fragment exist_fragment?
@@ -53,7 +51,8 @@ module ActionController
         def #{method}(event)
           key_or_path = event.payload[:key] || event.payload[:path]
           human_name  = #{method.to_s.humanize.inspect}
-          info("\#{human_name} \#{key_or_path} \#{"(%.1fms)" % event.duration}")
+          duration = format_duration(event.duration)
+          info("\#{human_name} \#{key_or_path} \#{duration}")
         end
       METHOD
     end
-- 
1.8.3.2
rpms / rubygem-actionpack

Source Code

Files
