Update json to 1.7.6 #512

Closed
tism opened this Issue Jan 25, 2013 · 14 comments

Projects

None yet

6 participants

@tism
tism commented Jan 25, 2013

There's an issue with json 1.7.5 and the expectation rails puts on it which is fixed in 1.7.6. The bundled version in 1.7.2 is 1.7.5 which means that JSON.dump can fail.

@BanzaiMan
Member

Do you have a test case to verify this? I pushed the update to bf5365f in the gh-512 branch.

@dwbutler

+1

I've been wrangling with similar issues.
https://gist.github.com/4632270

@tism
tism commented Jan 25, 2013

The gist @dwbutler posted is the same reproduction I came to. JSON.dump an ActiveSupport::HashWithIndifferentAccess.

The issue should be fixed with the merge alias for configure in GeneratorState here.

@dwbutler

@tism, I thought that should have fixed it as well. But I found that the issue still occurred in JSON 1.7.6 and JSON-master. I opened a ticket on JRuby (#507) but now I'm wondering if I should open a ticket on JSON.

@dwbutler

I asked for some help here: flori/json#152

@sluukkonen
Contributor

This PR will fix the issue: flori/json#155

@edzhelyov

1.7.6 won't fix the NullPointerException. I've checked that with the following code:

gem 'json', '=1.7.6'
require 'active_support/all'

puts JSON::VERSION

h = { a: 1 }
puts JSON.dump(h)

hi = HashWithIndifferentAccess.new(h)
puts JSON.dump(hi)

flori/json#155 is most likely to fix it.

@BanzaiMan
Member

4070ab3 is the second try, based on flori/json@771e08b. @edzhelyov's test case above returns:

irb(main):015:0> puts JSON.dump(h)
{"a":1}
=> nil
@BanzaiMan
Member

If you want to test it yourself, don't forget 7adc0d1.

@BanzaiMan
Member

In case it wasn't clear: I fully intend to wait for the official JSON 1.7.6 release to merge it to master. The above commits are just for testing.

@BanzaiMan
Member

JSON 1.7.6 breaks its own tests (granted, they are a part of the MRI test suite). https://travis-ci.org/jruby/jruby/builds/4585422

@BanzaiMan BanzaiMan was assigned Feb 13, 2013
@BanzaiMan
Member

Looks like JSON 1.7.7 has been released. https://rubygems.org/gems/json/versions/1.7.7-java

@mkristian
Member

and it is advised to switch to that version for security reasons !

CVE-2013-0269

@BanzaiMan
Member

Fixed with a216eb3.

@BanzaiMan BanzaiMan closed this Feb 13, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment