-
Notifications
You must be signed in to change notification settings - Fork 21.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rails 4.2.11.2: uninitialized constant Module::DELEGATION_RESERVED_METHOD_NAMES #39301
Comments
I believe the problem is that rails/activesupport/lib/active_support/core_ext/module/delegation.rb Lines 12 to 14 in ac6aa32
Whereas
|
I have a PR up for this in #39302. |
I'm curious to know how this passed through review and automated testing to make it to an official release. |
I am very sorry. I will make a release again. |
Please note that Rails 4.2 is not supported. We are trying to do a favor to people still using that unsupported version by releasing a new version instead of just sending an advisory with a patch. The Rails 4.2 build is not passing anymore given the Ruby versions supported today are different of the versions supported on that series, so we can't expect the build will pass when we make a security release. That is how this passed through review and automated testing to make in to an unsupported official release. |
It's alright, mistakes happen! I'm was surprised that Rails 4.2 which is EOL received a security patch. And then I was surprised that it didn't work out of the box. I hope I didn't come off as blaming, I just wanted to see if there were process or automation fixes that should go in as well.
As someone who is currently running Rails 4.2 + Ruby 2.4 I'd be happy to help get the build green again. I would just need some pointers in the right direction. |
Thank you for the offer but Rails 4.2 is not supported anymore and even just reviewing changes to the test suite would still require time and energy from the core team on a version that is not supported. |
Thanks, @tenderlove! |
I shipped 4.2.11.3 with #39302. Thanks for reporting this as well as the PR to fix it. |
This commit 4c46a15 broke redmine 3.4 (/my/page):
production.log:
After manual revert this patch error gone. |
? |
Yes, it was expected to break this usage. Redmine need to be updated. |
It's old and unsupported already version of Redmine 3.4 - last version from branch 3.x, which use rails 4. Don't think somebody will fix it now. |
Hi, I'm part of the Debian LTS Security Team and I'm looking into fixing CVE-2020-8163 for Debian Jessie and Debian Stretch -- preferably without breaking existing apps :) Using a local named "block" appears to be the root cause of the regression here. I see at d9ff835 # still be available in local_assigns.
- locals = @locals.to_set - Module::DELEGATION_RESERVED_METHOD_NAMES.dup.delete("block")
+ locals = @locals - Module::RUBY_RESERVED_KEYWORDS
locals = locals.grep(/\A(?![A-Z0-9])(?:[[:alnum:]_]|[^\0-\177])+\z/) that the current/master rails checks use RUBY_RESERVED_KEYWORDS (which doesn't include "block") rather than DELEGATION_RESERVED_METHOD_NAMES.
Would it make sense to align this fix with later rails releases? (Incidentally I'm not sure how setting local names leads to RCE, so pointers about attacks we want to block would be greatly appreciated, possibly in PM :)) |
FWIW, here are the Debian patches: 4.2.7:
4.1.8:
|
@Beuc, these patches break backward compatibility. |
Hi. What legitimate use case do you think is impacted, exactly? |
@Beuc, read this comment: #39301 (comment) |
@VVD do read my comment as well, my patches are different and typically do not break redmine. |
@VVD Also having this error in production when accessing |
@VVD @a17levine for clarity I created: #39806 @ others (e.g. with hackerone access), would you mind validating security? |
Allow again the following non-reserved local names: _ arg args block Closes: rails#39301
@Beuc, not any more actual for me - just updated Redmine to 4.1.1 and it uses rails 5.2. |
This is still breaking existing apps: #40161 |
Did you source 4.2.11.3 from the 4.2 stable branch on Github? The Rubygems one has a regression I believe |
Steps to reproduce
localhost:3000
Logs show:
Expected behavior
Shouldn't break an existing app.
Actual behavior
Breaks an existing app.
System configuration
Rails version: 4.2.11.2
Ruby version: 2.4.10 via
rvm
on Mac OS X 10.15.3The text was updated successfully, but these errors were encountered: