ruby-changes:18568
From: nahi <ko1@a...>
Date: Tue, 18 Jan 2011 15:11:47 +0900 (JST)
Subject: [ruby-changes:18568] Ruby:r30591 (trunk): * lib/logger.rb: added RDoc document for logging message escape
nahi 2011-01-18 15:11:41 +0900 (Tue, 18 Jan 2011) New Revision: 30591 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=30591 Log: * lib/logger.rb: added RDoc document for logging message escape by Hal Brodigan. See #3869 Modified files: trunk/ChangeLog trunk/lib/logger.rb Index: ChangeLog =================================================================== --- ChangeLog (revision 30590) +++ ChangeLog (revision 30591) @@ -1,3 +1,8 @@ +Tue Jan 18 15:05:55 2011 NAKAMURA, Hiroshi <nahi@r...> + + * lib/logger.rb: added RDoc document for logging message escape + by Hal Brodigan. See #3869 + Tue Jan 18 07:53:52 2011 Tanaka Akira <akr@f...> * eval_intern.h: parenthesize macro arguments. Index: lib/logger.rb =================================================================== --- lib/logger.rb (revision 30590) +++ lib/logger.rb (revision 30591) @@ -1,7 +1,6 @@ # logger.rb - simple logging utility -# Copyright (C) 2000-2003, 2005, 2008 NAKAMURA, Hiroshi <nahi@r...>. +# Copyright (C) 2000-2003, 2005, 2008, 2011 NAKAMURA, Hiroshi <nahi@r...>. # -# Author:: NAKAMURA, Hiroshi <nakahiro@s...> # Documentation:: NAKAMURA, Hiroshi and Gavin Sinclair # License:: # You can redistribute it and/or modify it under the same terms of Ruby's @@ -41,6 +40,21 @@ # want to know about the program's internal state, and would set them to # +DEBUG+. # +# **Note**: Logger does not escape or sanitize any messages passed to it. +# Developers should be aware of when potentially malicious data (user-input) +# is passed to Logger, and manually escape the untrusted data: +# +# logger.info("User-input: #{input.dump}") +# logger.info("User-input: %p" % input) +# +# You can use Logger#formatter= for escaping all data. +# +# original_formatter = Logger::Formatter.new +# logger.formatter = proc { |severity, datetime, progname, msg| +# original_formatter.call(severity, datetime, progname, msg.dump) +# } +# logger.info(input) +# # === Example # # A simple example demonstrates the above explanation: -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/