-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
avoid overwriting params with falsey value #1418
Conversation
To fix broken tests, applied #1419. Force pushed, but changes are nothing. |
👍 thanks again! |
@nickpelone Thanks for confirming my patch. I'll let @zzak and @rkh review this. Please wait for merging. |
The change looks good for what it wants to do. But I don't think we want this change, it might be opening up for security issue or at least bugs where someone is assuming a param can only be set via pattern (ie, imagine someone limiting what set :pattern, capture: { ext: %w[home imprint] }
get '/:page?' do
page = params[:page] || 'home'
path = File.expand_path(page, page_directory)
send_file path
end |
I've never used the feature you describe above - I sanitize my params (wherever they originated in the stack: optional captures, request bodies, etc) with an external gem. Without getting too in the weeds here, my approach worked in Sinatra 1.4, but is broken in 2.x, where one of the stated desires was for people to file a ticket if their app stopped working. (and for what it's worth, I imagine the situation described above would happen in Sinatra 1.4.x too, re: assuming captures could only come from the route matcher). I could even live with an option I had to toggle on, but for this behavior to go totally away, forever, would be very depressing to me. (In addition to necessitating a revision of my API I design / deciding to backport to the entire Sinatra 1.x / Rack 1.x ecosystem and live in the past...eww!) I have strong interest in seeing this functionality restored - so if another approach is needed I could dive into the code and propose one, failing all else. Thanks. |
Since received @rkh's comment, I have reconsidered this issue. What I'd like to say is that it is not important that validation is carried out, but the two elements are different in nature. However, we should look to the fact that this errant behavior was working with traditional sinatra. /cc @nickpelone @rkh In any case, I decided to close this PR as an unwanted change. |
|
Upon further reflection, I figure I can make this "lax" style I was using work with an extra helper method in those route blocks so I guess I'll stop being so grumpy. Thanks for taking a look. |
This behavior arises from the commit that mustermann was introduced.
see: 7a9ffcc
That breaks backward compatibility with Sinatra v1.4.X and is not intended behavior.
This changes it so that it overwrites params only if there is a possible value as a block argument.
Fixes #1417
I want a cautious review on this PR. After sufficient review, I'm planning to merge the commit.
/cc @rkh @zzak @nickpelone