https://www.chiliproject.org/2011-04-20T16:25:53+02:00ChiliProjectChiliProject - Bug #345: Entering large numbers for 'Estimated Time' fails with 'Invalid big Decimal Value'https://www.chiliproject.org/issues/345?journal_id=100462011-04-20T16:25:53+02:00Gregor Schmidtschmidt@nach-vorne.eu
<ul><li><strong>Start date</strong> set to <i>2011-04-20</i></li><li><strong>Estimated time</strong> deleted ()</li><li><strong>Priority</strong> changed from <i>Normal</i> to <i>Normal</i></li><li><strong>Project</strong> set to <i>ChiliProject</i></li><li><strong>Target version</strong> set to <i>2.0.0</i></li><li><strong>Assignee</strong> set to <i>Eric Davis</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>0</i></li><li><strong>Subject</strong> set to <i>Entering large numbers for 'Estimated Time' fails with 'Invalid big Decimal Value'</i></li><li><strong>Category</strong> set to <i>Issue tracking</i></li><li><strong>Tracker</strong> set to <i>Bug</i></li><li><strong>Due date</strong> deleted ()</li><li><strong>Subproject of</strong> deleted ()</li><li><strong>Description</strong> set to <i>While trying to set estimated time of an issue to 5000000 hours, I am getting...</i> <a href="/journals/10046/diff/description" class="lightbox-ajax">More</a></li><li><strong>Status</strong> changed from <i>Open</i> to <i>Closed</i></li></ul> ChiliProject - Bug #345: Entering large numbers for 'Estimated Time' fails with 'Invalid big Decimal Value'https://www.chiliproject.org/issues/345?journal_id=16382011-04-20T16:34:48+02:00Gregor Schmidtschmidt@nach-vorne.eu
<ul><li><strong>Status</strong> changed from <i>Open</i> to <i>Ready for review</i></li></ul><p>The outlined changes may be found at</p>
<p><a class="external" href="https://github.com/schmidt/chiliproject/tree/b/345-remove-big-decimal-patch">https://github.com/schmidt/chiliproject/tree/b/345-remove-big-decimal-patch</a></p>
<p>and</p>
<p><a class="external" href="https://github.com/schmidt/chiliproject/tree/b/345-limit-scope-of-big-decimal-patch">https://github.com/schmidt/chiliproject/tree/b/345-limit-scope-of-big-decimal-patch</a></p> ChiliProject - Bug #345: Entering large numbers for 'Estimated Time' fails with 'Invalid big Decimal Value'https://www.chiliproject.org/issues/345?journal_id=16392011-04-20T18:51:07+02:00Eric Davis
<ul></ul><p>Since most people won't be logging 5,000,000 hours in one time entry (570 years of work), I think we should just remove the patch from 2.0.0 since we would be dropping/phasing out 1.8.6 then.</p> ChiliProject - Bug #345: Entering large numbers for 'Estimated Time' fails with 'Invalid big Decimal Value'https://www.chiliproject.org/issues/345?journal_id=16402011-04-20T20:03:56+02:00Gregor Schmidtschmidt@nach-vorne.eu
<ul></ul><p>Thanks for having a look at this issue.</p>
<p>Although I agree with your opinion, I do not follow your conclusion:</p>
<p>The security issue, that is fixed by this work around, is present in older versions of 1.8.6 and 1.8.7. Furthermore it is fixed in current versions of 1.8.6 and 1.8.7. Therefore, phasing out 1.8.6 is not helping in this context. This would also mean, that removing the patch does not need a major release but could be done in 1.3.0.</p> ChiliProject - Bug #345: Entering large numbers for 'Estimated Time' fails with 'Invalid big Decimal Value'https://www.chiliproject.org/issues/345?journal_id=16432011-04-20T23:59:10+02:00Eric Davis
<ul></ul><p>Some clarification as to why I said to just remove it in 2.0.0</p>
<ul>
<li>From what I remember, this bug was worked around in a newer rails version which is in unstable already, so 2.0 could have it removed. (I'll need to check the security report).</li>
<li>Removing the patch from 1.x could re-expose the security hole for users on older versions of Ruby. (You can't assume everyone is on the latest Ruby. I had a client on 1.8.5 until only a few months ago.)</li>
<li>If the scoping patch works for all users on older Ruby versions, then we might be able to add it for 1.x <strong>but</strong> this feels like such an edge case, I'm not sure there is enough time to include it (i.e. more important bugs are still pending). If someone has the time to review it with older versions of Ruby before mid-next week, we might be able to include it in 1.3.0. Otherwise it will need to wait until 1.4.0, which might not be released if 2.0 is ready before then :)</li>
</ul> ChiliProject - Bug #345: Entering large numbers for 'Estimated Time' fails with 'Invalid big Decimal Value'https://www.chiliproject.org/issues/345?journal_id=16442011-04-21T05:20:44+02:00Gregor Schmidtschmidt@nach-vorne.eu
<ul><li><strong>Target version</strong> changed from <i>1.3.0</i> to <i>2.0.0</i></li></ul><p>Thanks for your detailed explanations.</p>
<p>I don't think it is worth it to first add the guards, just to completely remove the patch in the next release.</p>
<p>Shall I open a pull request targeting the unstable branch which just removes the file?</p> ChiliProject - Bug #345: Entering large numbers for 'Estimated Time' fails with 'Invalid big Decimal Value'https://www.chiliproject.org/issues/345?journal_id=16452011-04-21T05:24:18+02:00Gregor Schmidtschmidt@nach-vorne.eu
<ul></ul><p>Eric Davis wrote:</p>
<blockquote>
<ul>
<li>From what I remember, this bug was worked around in a newer rails version which is in unstable already, so 2.0 could have it removed. (I'll need to check the security report).</li>
</ul>
</blockquote>
<p>According to <a href="http://groups.google.com/group/rubyonrails-security/browse_thread/thread/dd820c64429b8bca?pli=1" class="external">this post on the Rails Security mailing list</a> these changes where introduced in Rails 2.3.3, i.e. they are already in master.</p> ChiliProject - Bug #345: Entering large numbers for 'Estimated Time' fails with 'Invalid big Decimal Value'https://www.chiliproject.org/issues/345?journal_id=19242011-05-27T21:40:40+02:00Eric Davis
<ul><li><strong>Assignee</strong> set to <i>Eric Davis</i></li><li><strong>(deleted custom field)</strong> set to <i>master</i></li><li><strong>Status</strong> changed from <i>Ready for review</i> to <i>Closed</i></li></ul><p>I've removed the patch. Looking at the history, it was added while on Rails 2.2.2. Since we are on 2.3.11 now Rails should handle it for us.</p>
<p>Thanks for reviewing and researching this. We could probably do a sweep through the code and remove old patches and compatibility hacks now (e.g. the cruft at the bottom of config/routes.rb...)</p>