This morning, vulnerabilities in the JSON.parse method were announced (see https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/4_YvCpLzL58). Sequel's core doesn't use json, but the following extensions/plugins are affected:
* pg_json extension * serialization plugin * json_serializer plugin If you were using the pg_json extension or the serialization plugin and storing ruby objects in the database serialized with JSON, and expected that on retrieval, a ruby object instance would be returned, that no longer works. You'll now get a plain hash when retrieving it from the database. If you were using the json_serializer extension and relied on JSON.parse returning Model instances, you need to change your code to use Model.from_json instead. However, you should review your code and see if you can use the from_self instance method instead, since that is safer. See the commit (https://github.com/jeremyevans/sequel/commit/8f990beedbcaa3c2df8aaaa0f79b002755655595) for details and a workaround to allow previous code to work (if you don't care about the security issues). As this commit changes behavior and can break existing apps, it does not qualify for backporting (e.g. no 3.44.1). I am undecided as to whether to issue 3.45.0 early with this change. If you feel strongly one way or the other, please make your case here. Thanks, Jeremy -- You received this message because you are subscribed to the Google Groups "sequel-talk" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/sequel-talk?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
