I don't have a strong case for it, but I would prefer to see a 3.45.0 release due to the non-compatibility. Thanks for the diligence, Jeremy.
On Monday, February 11, 2013 4:50:06 PM UTC-5, Jeremy Evans wrote: > > This morning, vulnerabilities in the JSON.parse method were announced (see > https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/4_YvCpLzL58). > > Sequel's core doesn't use json, but the following extensions/plugins are > affected: > > * pg_json extension > * serialization plugin > * json_serializer plugin > > If you were using the pg_json extension or the serialization plugin and > storing ruby objects in the database serialized with JSON, and expected that > on retrieval, a ruby object instance would be returned, that no longer works. > You'll now get a plain hash when retrieving it from the database. > > If you were using the json_serializer extension and relied on JSON.parse > returning Model instances, you need to change your code to use > Model.from_json instead. However, you should review your code and see if you > can use the from_self instance method instead, since that is safer. > > See the commit > (https://github.com/jeremyevans/sequel/commit/8f990beedbcaa3c2df8aaaa0f79b002755655595) > for details and a workaround to allow previous code to work (if you don't > care about the security issues). > > As this commit changes behavior and can break existing apps, it does not > qualify for backporting (e.g. no 3.44.1). I am undecided as to whether to > issue 3.45.0 early with this change. If you feel strongly one way or the > other, please make your case here. > > Thanks, > Jeremy > > > -- You received this message because you are subscribed to the Google Groups "sequel-talk" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/sequel-talk?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
