You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Feb 9, 2019. It is now read-only.
The current version of sedis has a critical bug - it doesn't release broken objects back to the jedis pool correctly. This has the side effect of new calls returning results of previous calls; essentially you get "random" output. This is very bad.
Any chance you can either fork sedis and incorporate that PR, or just get rid of the dependency on sedis? This bug has very bad implications for anything that uses RedisCacheApi, especially things surrounding security/authentication, such as SecureSocial or other plugins.
Here's a more detailed issue with the incorrect jedis pool usage: redis/jedis#909
It also details how to reproduce getting incorrect output from redis: (redis/jedis#909 (comment))
Thanks!
The text was updated successfully, but these errors were encountered:
This library hasn't been supported or actively maintained for some time (as indicated in the readme). I would recommend one of the actively-maintained redis plugins:
The best strategy would probably be to update the existing cache implementations to use Jedis directly.
If you sent a PR with the fix, it would probably not be much work for us to merge it and cut a new release, so I suppose we could do that given the severity of the bug. But you would be better off starting with something actively maintained. As it is we can't promise timely updates if there are other critical bugs in the future.
Lifeway version seems to have a same issue and it's maintained no longer.
So we released a forked version of this plugin with fix for this issue by using Jedis directly as @gmethvin mentioned. If there is someone still use this plugin with Play 2.5, can move to our version to avoid this issue. Also we have a plan to provide Play 2.6 version of the plugin in the future. https://github.com/bizreach/play-redis
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Hi,
The current version of sedis has a critical bug - it doesn't release broken objects back to the jedis pool correctly. This has the side effect of new calls returning results of previous calls; essentially you get "random" output. This is very bad.
There's a PR with a fix: pk11/sedis#14
Any chance you can either fork sedis and incorporate that PR, or just get rid of the dependency on sedis? This bug has very bad implications for anything that uses
RedisCacheApi
, especially things surrounding security/authentication, such as SecureSocial or other plugins.Here's a more detailed issue with the incorrect jedis pool usage: redis/jedis#909
It also details how to reproduce getting incorrect output from redis: (redis/jedis#909 (comment))
Thanks!
The text was updated successfully, but these errors were encountered: