Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Date._iso8601 regression following the 3.2.1 security fix #39

Closed
casperisfine opened this issue Nov 15, 2021 · 6 comments · Fixed by #40
Closed

Date._iso8601 regression following the 3.2.1 security fix #39

casperisfine opened this issue Nov 15, 2021 · 6 comments · Fixed by #40
Assignees

Comments

@casperisfine
Copy link

casperisfine commented Nov 15, 2021

Previous versions

>> Date._iso8601(nil)
=> {}

3.2.1

>> Date._iso8601(nil)
(irb):2:in `_iso8601': no implicit conversion of nil into String (TypeError)
casperisfine pushed a commit to casperisfine/date that referenced this issue Nov 15, 2021
Fix: ruby#39

This is how versions previous to 3.2.1 behaved and Active Support
currently rely on this behavior.

https://github.com/rails/rails/blob/90357af08048ef5076730505f6e7b14a81f33d0c/activesupport/lib/active_support/values/time_zone.rb#L383-L384

Any Rails application upgrading to date `3.2.1` might run into unexpected errors.
@hsbt
Copy link
Member

hsbt commented Nov 16, 2021

And I also faced the regression of CVE-2021-41817 with ruby/spec.

ruby/ruby@17e64cc

@casperisfine
Copy link
Author

Oh, good one, I didn't check symbols in my fix.

@hsbt hsbt self-assigned this Nov 16, 2021
@casperisfine
Copy link
Author

casperisfine commented Nov 16, 2021

Yep:

Error: test__iso8601(TestDateParse): TypeError: no implicit conversion of Symbol into String
/Users/byroot/src/github.com/casperisfine/date/test/date/test_date_parse.rb:855:in `_iso8601'
/Users/byroot/src/github.com/casperisfine/date/test/date/test_date_parse.rb:855:in `test__iso8601'
     852:     h = Date._iso8601(nil)
     853:     assert_equal({}, h)
     854: 
  => 855:     h = Date._iso8601('01-02-03T04:05:06Z'.to_sym)
     856:     assert_equal([2001, 2, 3, 4, 5, 6, 0],
     857: 		 h.values_at(:year, :mon, :mday, :hour, :min, :sec, :offset))
     858:   end

@hsbt maybe it's best to report this as a separate issue?

@hsbt
Copy link
Member

hsbt commented Nov 16, 2021

@casperisfine Thanks for your confirmation. It's good to separate from this issue or #40 .

@casperisfine
Copy link
Author

I pushed the fix for symbols in #40

@Vasfed
Copy link

Vasfed commented Nov 16, 2021

Looks like this also affectsDateTime.rfc2822(nil), previously it raised ArgumentError, but in 2.0.1 it raises no implicit conversion of nil into String (TypeError), this breaks some applications and gems like faraday.

Looking forward to a new release with #40 merged

@mame mame closed this as completed in #40 Nov 16, 2021
matzbot pushed a commit to ruby/ruby that referenced this issue Nov 16, 2021
Fix: ruby/date#39

This is how versions previous to 3.2.1 behaved and Active Support
currently rely on this behavior.

https://github.com/rails/rails/blob/90357af08048ef5076730505f6e7b14a81f33d0c/activesupport/lib/active_support/values/time_zone.rb#L383-L384

Any Rails application upgrading to date `3.2.1` might run into unexpected errors.

ruby/date@8f2d7a0c7e
hsbt pushed a commit that referenced this issue Jan 26, 2022
Fix: #39

This is how versions previous to 3.2.1 behaved and Active Support
currently rely on this behavior.

https://github.com/rails/rails/blob/90357af08048ef5076730505f6e7b14a81f33d0c/activesupport/lib/active_support/values/time_zone.rb#L383-L384

Any Rails application upgrading to date `3.2.1` might run into unexpected errors.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging a pull request may close this issue.

3 participants