Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Date._iso8601 regression following the 3.2.1 security fix #39

Closed
casperisfine opened this issue Nov 15, 2021 · 6 comments · Fixed by #40
Closed

Date._iso8601 regression following the 3.2.1 security fix #39

casperisfine opened this issue Nov 15, 2021 · 6 comments · Fixed by #40
Assignees
@hsbt

Comments

@casperisfine
Copy link

casperisfine commented Nov 15, 2021
edited
Loading

Previous versions

>> Date._iso8601(nil)
=> {}

3.2.1

>> Date._iso8601(nil)
(irb):2:in `_iso8601': no implicit conversion of nil into String (TypeError)
casperisfine pushed a commit to casperisfine/date that referenced this issue Nov 15, 2021
@byroot
Date._<format>(nil) should return an empty Hash
8f2d7a0 
Fix: ruby#39

This is how versions previous to 3.2.1 behaved and Active Support
currently rely on this behavior.

https://github.com/rails/rails/blob/90357af08048ef5076730505f6e7b14a81f33d0c/activesupport/lib/active_support/values/time_zone.rb#L383-L384

Any Rails application upgrading to date `3.2.1` might run into unexpected errors.
This was referenced Nov 15, 2021
Merged
Merged
@wwahammy wwahammy mentioned this issue Nov 15, 2021
Closed
@hsbt
Copy link
Member

hsbt commented Nov 16, 2021

And I also faced the regression of CVE-2021-41817 with ruby/spec.

ruby/ruby@17e64cc

@casperisfine
Copy link
Author

Oh, good one, I didn't check symbols in my fix.

@hsbt hsbt self-assigned this Nov 16, 2021
@casperisfine
Copy link
Author

casperisfine commented Nov 16, 2021
edited
Loading

Yep:

Error: test__iso8601(TestDateParse): TypeError: no implicit conversion of Symbol into String
/Users/byroot/src/github.com/casperisfine/date/test/date/test_date_parse.rb:855:in `_iso8601'
/Users/byroot/src/github.com/casperisfine/date/test/date/test_date_parse.rb:855:in `test__iso8601'
     852:     h = Date._iso8601(nil)
     853:     assert_equal({}, h)
     854: 
  => 855:     h = Date._iso8601('01-02-03T04:05:06Z'.to_sym)
     856:     assert_equal([2001, 2, 3, 4, 5, 6, 0],
     857: 		 h.values_at(:year, :mon, :mday, :hour, :min, :sec, :offset))
     858:   end

@hsbt maybe it's best to report this as a separate issue?

@hsbt
Copy link
Member

hsbt commented Nov 16, 2021

@casperisfine Thanks for your confirmation. It's good to separate from this issue or #40 .

@casperisfine
Copy link
Author

I pushed the fix for symbols in #40

@Vasfed
Copy link

Vasfed commented Nov 16, 2021

Looks like this also affectsDateTime.rfc2822(nil), previously it raised ArgumentError, but in 2.0.1 it raises no implicit conversion of nil into String (TypeError), this breaks some applications and gems like faraday.

Looking forward to a new release with #40 merged

@mame mame closed this as completed in #40 Nov 16, 2021
matzbot pushed a commit to ruby/ruby that referenced this issue Nov 16, 2021
@byroot @mame
[ruby/date] Date._<format>(nil) should return an empty Hash
fa674cf 
Fix: ruby/date#39

This is how versions previous to 3.2.1 behaved and Active Support
currently rely on this behavior.

https://github.com/rails/rails/blob/90357af08048ef5076730505f6e7b14a81f33d0c/activesupport/lib/active_support/values/time_zone.rb#L383-L384

Any Rails application upgrading to date `3.2.1` might run into unexpected errors.

ruby/date@8f2d7a0c7e
hsbt pushed a commit that referenced this issue Jan 26, 2022
@byroot @mame
Date._<format>(nil) should return an empty Hash
ae319af 
Fix: #39

This is how versions previous to 3.2.1 behaved and Active Support
currently rely on this behavior.

https://github.com/rails/rails/blob/90357af08048ef5076730505f6e7b14a81f33d0c/activesupport/lib/active_support/values/time_zone.rb#L383-L384

Any Rails application upgrading to date `3.2.1` might run into unexpected errors.
@github-actions github-actions bot mentioned this issue May 16, 2024
Merged
@github-actions github-actions bot mentioned this issue Jun 4, 2024
Merged
@github-actions github-actions bot mentioned this issue Aug 22, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hsbt hsbt

Labels
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Date._<format>(nil) should return an empty Hash casperisfine/date
3 participants
@hsbt @Vasfed @casperisfine