From 9ffaa7e96b91f99751592b60ea1351b5e1264c08 Mon Sep 17 00:00:00 2001 From: nahi Date: Tue, 18 Jan 2011 06:11:41 +0000 Subject: [PATCH] * lib/logger.rb: added RDoc document for logging message escape by Hal Brodigan. See #3869 git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@30591 b2dd03c8-39d4-4d8f-98ff-823fe69b080e --- ChangeLog | 5 +++++ lib/logger.rb | 18 ++++++++++++++++-- 2 files changed, 21 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index da8382acbb..ea1ff70fc6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +Tue Jan 18 15:05:55 2011 NAKAMURA, Hiroshi + + * lib/logger.rb: added RDoc document for logging message escape + by Hal Brodigan. See #3869 + Tue Jan 18 07:53:52 2011 Tanaka Akira * eval_intern.h: parenthesize macro arguments. diff --git a/lib/logger.rb b/lib/logger.rb index 5c00fe24c2..1f09af0f6b 100644 --- a/lib/logger.rb +++ b/lib/logger.rb @@ -1,7 +1,6 @@ # logger.rb - simple logging utility -# Copyright (C) 2000-2003, 2005, 2008 NAKAMURA, Hiroshi . +# Copyright (C) 2000-2003, 2005, 2008, 2011 NAKAMURA, Hiroshi . # -# Author:: NAKAMURA, Hiroshi # Documentation:: NAKAMURA, Hiroshi and Gavin Sinclair # License:: # You can redistribute it and/or modify it under the same terms of Ruby's @@ -41,6 +40,21 @@ require 'monitor' # want to know about the program's internal state, and would set them to # +DEBUG+. # +# **Note**: Logger does not escape or sanitize any messages passed to it. +# Developers should be aware of when potentially malicious data (user-input) +# is passed to Logger, and manually escape the untrusted data: +# +# logger.info("User-input: #{input.dump}") +# logger.info("User-input: %p" % input) +# +# You can use Logger#formatter= for escaping all data. +# +# original_formatter = Logger::Formatter.new +# logger.formatter = proc { |severity, datetime, progname, msg| +# original_formatter.call(severity, datetime, progname, msg.dump) +# } +# logger.info(input) +# # === Example # # A simple example demonstrates the above explanation: