Reverting to previous versions of parsedown and parsedown-extra #1921
Comments
|
The problem is that i'm not sure these are considered 'bugs' for the Parsedown library, rather they are exploiting loopholes in the previously unsecured Parsedown handling of elements. I doubt that there will be a fix in the Parsedown library as any fix, just re-exposes those vulnerabilities. It probably makes more sense to simply move to another solution rather than using markdown based ones. For example, use image-captions for image captions.. as this still works fine with new Parsedown security fixes. |
I can understand that it would be possible in some cases, but as I specifically chose Grav for its processing using markdown syntax, and more especially for its support of footnotes with the help of smartypants plugin, this problem seriously impact my current project. I guess that one of the possible manners for me would be to specifically downgrade some of the parsedown components on my own installation, or even to entirely revert to a previous version of Grav where this problem had not yet appeared. Unless you think that opening an issue on the smartypants plugin directory may, by any chance, have a little possibility of solution? |
|
You don't need to revert Grav, or change anything manually. You simply change the Parsedown version to the one before the security fixes (1.6.4) in I can't in good conscience force an older version of Parsedown in Grav core if it exposes security vulnerabilities for the sake of a few 3rd party plugins. It sucks, sure, but you can't mess around with security. |
|
You would be better off opening an issue on Parsedown repo, and perhaps ask for an option to disable this security validation if you wish to do so for compatibility reasons. That way you could set an option for markdown, and still be able to stay on the latest version for other features and bugfixes. |
|
Actually looks like there are some fixes already in motion for footnotes at least: erusev/parsedown-extra#118 |
I have tried to do this, but due to
I totally understand this point of view, of course. It is exactly why I wrote before this issue seems to be rather a question than an actual suggestion.
As there is yet an issue devoted to this (footnotes) problem, I think I will first subscribe to it in order to get a better view of the problem.
This option would sound like a reasonable proposal indeed. Thank you for the time spent responding to this thread. |
After changing the version value to |
|
I wonder if it could be related to this problem, where it is said that |
|
In order to use any vulnerable libraries, you need to disable There is no ill effect removing the dependency, except that you will not get informed about vulnerabilities anymore. |
|
So, as stated by @rhukster, who has suggested to downgrade to Thanks to all. |
|
Any chance of an actual step-by-step of the process, for those of us who are mere users of Grav, rather than developers. I don't mind going into the Terminal, but it would be very useful to have a detailed list of what to do. |
|
Sure:
NOTE: If you don't have composer installed, you can use the one bundled with Grav:
Job done. |
|
Very cool. Will report back in the morning, when I am less likely
to mess up.
On Tue, 20 Mar 2018, at 5:30 PM, Andy Miller wrote:
Sure:
1. Edit composer.json in the root of Grav
2. Remove the security checking dependency: "roave/security-
advisories": "dev-master",`
1. Edit the parsedown entry to force the last pre-security fixed
version: "erusev/parsedown": "1.6.4",
1. From terminal run composer update --no-dev> Job done.
— You are receiving this because you commented. Reply to this email
directly, view it on GitHub[1], or mute the thread[2].>
|
|
Thank you very much.
That worked perfectly locally.
When I went to do it at production (I sync only /user via github) I got
an error with Composer, because the .phar extension is not installed.
Rather than mess with php.ini (I'm on Dreamhost, so it is complicated) I
just copied up the /parsedown folder.
It works, but I was wondering, will there be problems in future? Am I
better off creating a new copy of Grav root (ignoring /user) via github?
Thanks again.
Jeremy
On Tue, 20 Mar 2018, at 5:30 PM, Andy Miller wrote:
Sure:
1. Edit composer.json in the root of Grav
2. Remove the security checking dependency: "roave/security-
advisories": "dev-master",`
1. Edit the parsedown entry to force the last pre-security fixed
version: "erusev/parsedown": "1.6.4",
1. From terminal run composer update --no-dev> Job done.
— You are receiving this because you commented. Reply to this email
directly, view it on GitHub[1], or mute the thread[2].>
|
|
There's actually a fix in Parsedown |
|
Sorry not quite clear @rhukster does this mean "wait a bit longer an all will be well"? |
|
The fix is in Parsedown 1.8.0-beta1: https://github.com/erusev/parsedown/releases So the next update of Grav with have the fix. |
Due to the recent problems encountered with the new security release of
parsedownandparsedown-extra(which introduce some errors in Grav, such as breaking markup for image captions or footnotes), I wonder if it would not be better to revert temporarily (just during the period this bug is not properly resolved) to an efficient previous version (by simply updating the dependencies incomposer.jsonand rebuilding thecomposer.lockaccordingly).This is more a question than a real suggestion: I don't know all the possible interdependencies, but as the time to solve the problem is unknown and the previous versions were functional, I suppose this little change could be potentially considered.
The text was updated successfully, but these errors were encountered: