New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade to v2.0.2 sinatra-contrib forces backports regression #1441

Closed
auxbuss opened this Issue Jun 5, 2018 · 19 comments

Comments

Projects
None yet
10 participants
@auxbuss
Copy link

auxbuss commented Jun 5, 2018

sinatra-contrib (2.0.1) had backports (>= 2.0) resulting in backports (3.11.3).
sinatra-contrib (2.0.2) has backports (~> 2.8.2) resulting in backports (~> 2.8.2)

Of course, this breaks a lot of things.

@soundasleep

This comment has been minimized.

Copy link

soundasleep commented Jun 6, 2018

Yep, this breaks a lot of things. Losing Ruby 2.4+ features in existing projects.

Consider changing ~> 2.8.2 to >= 2.8.2 so that we can add backports 3.11.3.

@robinetmiller

This comment has been minimized.

Copy link

robinetmiller commented Jun 6, 2018

+1. Just encountered this conflict with Cucumber.

2.0.2 is supposed to be a fix for CVE-2018-11627, but of course we can't update cleanly because of the conflict. Is there a reason this was locked to Backports 2.8.2?

@namusyaka

Edit: and is pointing to the commit right before this change a safe workaround?

@namusyaka namusyaka added this to the v2.0.3 milestone Jun 6, 2018

@namusyaka

This comment has been minimized.

Copy link
Member

namusyaka commented Jun 6, 2018

To fix broken test, I have locked the backports gem in this PR.
I'm going to face this problem, but it seems to take a while.
If you have the best solution, it will be appreciated if you send PR.

@fdr

This comment has been minimized.

Copy link

fdr commented Jun 6, 2018

This breaks Sequel's Model['some-id'] expressions, which is catastrophic.

@robinetmiller

This comment has been minimized.

Copy link

robinetmiller commented Jun 6, 2018

Linking to 3scale/apisonator#30

Can @marcandre's #1420 be moved up sooner than 2.1.0?

@fdr

This comment has been minimized.

Copy link

fdr commented Jun 6, 2018

My mistake, it breaks not Sequel but pry, but also fileutils/simplecov trying to do I/O:

	 7: from /home/fdr/.rbenv/versions/2.5.1/lib/ruby/2.5.0/fileutils.rb:1291:in `copy_file'
	 6: from /home/fdr/.rbenv/versions/2.5.1/lib/ruby/gems/2.5.0/gems/backports-2.8.2/lib/backports/1.9.1/io.rb:23:in `open_with_options_hash'
	 5: from /home/fdr/.rbenv/versions/2.5.1/lib/ruby/gems/2.5.0/gems/backports-2.8.2/lib/backports/1.9.1/io.rb:23:in `open'
	 4: from /home/fdr/.rbenv/versions/2.5.1/lib/ruby/gems/2.5.0/gems/backports-2.8.2/lib/backports/1.9.1/io.rb:23:in `block in open_with_options_hash'
	 3: from /home/fdr/.rbenv/versions/2.5.1/lib/ruby/2.5.0/fileutils.rb:1292:in `block in copy_file'
	 2: from /home/fdr/.rbenv/versions/2.5.1/lib/ruby/gems/2.5.0/gems/backports-2.8.2/lib/backports/1.9.1/io.rb:20:in `open_with_options_hash'
	 1: from /home/fdr/.rbenv/versions/2.5.1/lib/ruby/gems/2.5.0/gems/backports-2.8.2/lib/backports/tools.rb:269:in `combine_mode_and_option'
/home/fdr/.rbenv/versions/2.5.1/lib/ruby/gems/2.5.0/gems/backports-2.8.2/lib/backports/tools.rb:269:in `[]': no implicit conversion of Symbol into Integer (TypeError)
@namusyaka

This comment has been minimized.

Copy link
Member

namusyaka commented Jun 6, 2018

@robinetmiller I will consider whether we can introduce #1420 to v 2.0.3.
I am glad if you can participate in the review.

@michal-kazmierczak

This comment has been minimized.

Copy link

michal-kazmierczak commented Jun 6, 2018

@namusyaka 2.0.3 has 18 open issues at this moment, wouldn't expect a quick release. Would it be an option to release 2.0.3 with just a slight change (from ~> 2.8.3 to >= 2.8.3) and move those 18 issues to 2.0.4? Happy to create PR if it's ok.

Locking backports to 2.8.3 (a 5-year old gem) breaks lots of things. https://github.com/michal-kazmierczak/sinatra is working fine for me

@namusyaka

This comment has been minimized.

Copy link
Member

namusyaka commented Jun 6, 2018

@michal-kazmierczak Yeah I'm going to consider that

@mshiltonj

This comment has been minimized.

Copy link

mshiltonj commented Jun 6, 2018

This problem has me hitting this "ancient" issue on the backports project.

marcandre/backports#92

@cice

This comment has been minimized.

Copy link

cice commented Jun 6, 2018

just broke our app entirely. downgrading to a gem version from 2013 not the best move

@namusyaka

This comment has been minimized.

Copy link
Member

namusyaka commented Jun 6, 2018

First of all, I'm sorry for the regression.
I decided to release v2.0.3 containing a patch about this issue as soon as possible.
I'm planning to release the v2.0.3 tomorrow or day after tomorrow.

And then, in order to release the version, I think the issue must be clearer.
For example, if it is just "broken", I don't know the detailed situation.
I'm currently aware that the locked version of backports gem was inappropriate as only problem.

I hope that the next release will correctly resolve the regression brought by v2.0.2.
Therefore, if there are other problems that I don't recognize, please create a new issue instead.
I'll cope with the problem as soon as possible.


And I have created a PR to clarify the changes for the next v2.0.3.
Does the change work properly in your application?
By designating as below, you can check it.

gem 'sinatra-contrib', github: 'sinatra/sinatra', branch: 'fix-1441'

Thanks,

@auxbuss

This comment has been minimized.

Copy link

auxbuss commented Jun 6, 2018

@namusyaka fix-1441 works here 👍

@robinetmiller

This comment has been minimized.

Copy link

robinetmiller commented Jun 6, 2018

@namusyaka That fixes mine as well, thanks.

@jrgns

This comment has been minimized.

Copy link

jrgns commented Jun 7, 2018

This breaks simplecov as well:


/builds/fnms/accounts-component/vendor/bundle/ruby/2.4.0/gems/backports-2.8.2/lib/backports/tools.rb:269:in `[]': no implicit conversion of Symbol into Integer (TypeError)
	from /builds/fnms/accounts-component/vendor/bundle/ruby/2.4.0/gems/backports-2.8.2/lib/backports/tools.rb:269:in `combine_mode_and_option'
	from /builds/fnms/accounts-component/vendor/bundle/ruby/2.4.0/gems/backports-2.8.2/lib/backports/1.9.1/io.rb:20:in `open_with_options_hash'
	from /usr/local/lib/ruby/2.4.0/fileutils.rb:1290:in `block in copy_file'
	from /builds/fnms/accounts-component/vendor/bundle/ruby/2.4.0/gems/backports-2.8.2/lib/backports/1.9.1/io.rb:23:in `block in open_with_options_hash'
	from /builds/fnms/accounts-component/vendor/bundle/ruby/2.4.0/gems/backports-2.8.2/lib/backports/1.9.1/io.rb:23:in `open'
	from /builds/fnms/accounts-component/vendor/bundle/ruby/2.4.0/gems/backports-2.8.2/lib/backports/1.9.1/io.rb:23:in `open_with_options_hash'
	from /usr/local/lib/ruby/2.4.0/fileutils.rb:1289:in `copy_file'
	from /usr/local/lib/ruby/2.4.0/fileutils.rb:1257:in `copy'
	from /usr/local/lib/ruby/2.4.0/fileutils.rb:416:in `block in copy_entry'
	from /usr/local/lib/ruby/2.4.0/fileutils.rb:1388:in `wrap_traverse'
	from /usr/local/lib/ruby/2.4.0/fileutils.rb:1391:in `block in wrap_traverse'
	from /usr/local/lib/ruby/2.4.0/fileutils.rb:1390:in `each'
	from /usr/local/lib/ruby/2.4.0/fileutils.rb:1390:in `wrap_traverse'
	from /usr/local/lib/ruby/2.4.0/fileutils.rb:413:in `copy_entry'
	from /usr/local/lib/ruby/2.4.0/fileutils.rb:391:in `block in cp_r'
	from /usr/local/lib/ruby/2.4.0/fileutils.rb:1461:in `block in fu_each_src_dest'
	from /usr/local/lib/ruby/2.4.0/fileutils.rb:1475:in `fu_each_src_dest0'
	from /usr/local/lib/ruby/2.4.0/fileutils.rb:1459:in `fu_each_src_dest'
	from /usr/local/lib/ruby/2.4.0/fileutils.rb:390:in `cp_r'
	from /builds/fnms/accounts-component/vendor/bundle/ruby/2.4.0/gems/simplecov-html-0.10.2/lib/simplecov-html.rb:19:in `block in format'
@namusyaka

This comment has been minimized.

Copy link
Member

namusyaka commented Jun 7, 2018

@jrgns Could you check this branch?

@cice

This comment has been minimized.

Copy link

cice commented Jun 7, 2018

@namusyaka Thanks for the fix! We were trying to get the security update for sinatra out asap and ran into the same issue as #1441 (comment) , sorry for not being clearer on that.

@fcheung

This comment has been minimized.

Copy link

fcheung commented Jun 7, 2018

This broke aws-sdk for me ( fix-1441 branch fixed for me)

@namusyaka

This comment has been minimized.

Copy link
Member

namusyaka commented Jun 8, 2018

Closed via #1442
And just released v2.0.3 https://rubygems.org/gems/sinatra-contrib/versions/2.0.3

@namusyaka namusyaka closed this Jun 8, 2018

bandesz added a commit to alphagov/paas-product-page that referenced this issue Jun 11, 2018

Upgrade Sinatra to 2.0.3
Sinatra before 2.0.2 has XSS via the 400 Bad Request page that occurs upon a
params parser exception. [1]

Version 2.0.2 introduced a regression which was fixed in 2.0.3. [2]

[1] https://nvd.nist.gov/vuln/detail/CVE-2018-11627
[2] sinatra/sinatra#1441
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment