diff options
| -rw-r--r-- | ChangeLog | 5 | ||||
| -rw-r--r-- | lib/logger.rb | 18 |
2 files changed, 21 insertions, 2 deletions
@@ -1,3 +1,8 @@ +Tue Jan 18 15:05:55 2011 NAKAMURA, Hiroshi <nahi@ruby-lang.org> + + * lib/logger.rb: added RDoc document for logging message escape + by Hal Brodigan. See #3869 + Tue Jan 18 07:53:52 2011 Tanaka Akira <akr@fsij.org> * eval_intern.h: parenthesize macro arguments. diff --git a/lib/logger.rb b/lib/logger.rb index 5c00fe24c2..1f09af0f6b 100644 --- a/lib/logger.rb +++ b/lib/logger.rb @@ -1,7 +1,6 @@ # logger.rb - simple logging utility -# Copyright (C) 2000-2003, 2005, 2008 NAKAMURA, Hiroshi <nahi@ruby-lang.org>. +# Copyright (C) 2000-2003, 2005, 2008, 2011 NAKAMURA, Hiroshi <nahi@ruby-lang.org>. # -# Author:: NAKAMURA, Hiroshi <nakahiro@sarion.co.jp> # Documentation:: NAKAMURA, Hiroshi and Gavin Sinclair # License:: # You can redistribute it and/or modify it under the same terms of Ruby's @@ -41,6 +40,21 @@ require 'monitor' # want to know about the program's internal state, and would set them to # +DEBUG+. # +# **Note**: Logger does not escape or sanitize any messages passed to it. +# Developers should be aware of when potentially malicious data (user-input) +# is passed to Logger, and manually escape the untrusted data: +# +# logger.info("User-input: #{input.dump}") +# logger.info("User-input: %p" % input) +# +# You can use Logger#formatter= for escaping all data. +# +# original_formatter = Logger::Formatter.new +# logger.formatter = proc { |severity, datetime, progname, msg| +# original_formatter.call(severity, datetime, progname, msg.dump) +# } +# logger.info(input) +# # === Example # # A simple example demonstrates the above explanation: |