On Monday, February 11, 2013 1:50:06 PM UTC-8, Jeremy Evans wrote: > > See the commit > (https://github.com/jeremyevans/sequel/commit/8f990beedbcaa3c2df8aaaa0f79b002755655595) > for details and a workaround to allow previous code to work (if you don't > care about the security issues). > > As this commit changes behavior and can break existing apps, it does not > qualify for backporting (e.g. no 3.44.1). I am undecided as to whether to > issue 3.45.0 early with this change. If you feel strongly one way or the > other, please make your case here. > > I've worked more on this last night and this morning, and made some changes so that xml_serializer and json_serializer are secure by default when parsing xml/json. Previously, these plugins allowed setting of all column values and as well as setting any associated objects as cached associations. This was so that they could roundtrip successfully. I've realized that was a design mistake, as these methods are likely to be used with user input. While the plugin's previous behavior wasn't vulnerable by itself, it's possible that the looseness it allowed could open up vulnerabilities in applications.
The changes I've made are not backwards compatible if you were relying on restricted column values or arbitrary associations being set. If you want that behavior, you now have to specify the :all_columns=>true and :all_associations=>true options. However, I recommend that users use the :fields and :associations options in order to be specific about what columns/associations should be set. I'm open to releasing 3.45.0 with these changes earlier than the usual release cycle, but considering the nature of the changes made, I would greatly appreciate if users of the json_serializer and xml_serializer plugins would try out the new code and provide feedback before the release. Thanks, Jeremy -- You received this message because you are subscribed to the Google Groups "sequel-talk" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/sequel-talk?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
