Grav: Reverting to previous versions of parsedown and parsedown-extra

The problem is that i'm not sure these are considered 'bugs' for the Parsedown library, rather they are exploiting loopholes in the previously unsecured Parsedown handling of elements.

I doubt that there will be a fix in the Parsedown library as any fix, just re-exposes those vulnerabilities. It probably makes more sense to simply move to another solution rather than using markdown based ones.

For example, use image-captions for image captions.. as this still works fine with new Parsedown security fixes.

It probably makes more sense to simply move to another solution rather than using markdown based ones.

I can understand that it would be possible in some cases, but as I specifically chose Grav for its processing using markdown syntax, and more especially for its support of footnotes with the help of smartypants plugin, this problem seriously impact my current project.

I guess that one of the possible manners for me would be to specifically downgrade some of the parsedown components on my own installation, or even to entirely revert to a previous version of Grav where this problem had not yet appeared.

Unless you think that opening an issue on the smartypants plugin directory may, by any chance, have a little possibility of solution?

You don't need to revert Grav, or change anything manually. You simply change the Parsedown version to the one before the security fixes (1.6.4) in composer.json and composer update --no-dev to install it. You will have to do this each time you upgrade Grav though, as Grav is bundling the latest stable version.

I can't in good conscience force an older version of Parsedown in Grav core if it exposes security vulnerabilities for the sake of a few 3rd party plugins. It sucks, sure, but you can't mess around with security.

You would be better off opening an issue on Parsedown repo, and perhaps ask for an option to disable this security validation if you wish to do so for compatibility reasons. That way you could set an option for markdown, and still be able to stay on the latest version for other features and bugfixes.

Actually looks like there are some fixes already in motion for footnotes at least: https://github.com/erusev/parsedown-extra/issues/118

You simply change the Parsedown version to the one before the security fixes (1.6.4) in composer.json and composer update --no-dev to install it.

I have tried to do this, but due to composer.lock file content, this process fails to correctly revert to a previous version. Maybe I made something wrong: I think I have to try it again.

I can't in good conscience force an older version of Parsedown in Grav core if it exposes security vulnerabilities for the sake of a few 3rd party plugins.

I totally understand this point of view, of course. It is exactly why I wrote before this _issue_ seems to be rather _a question_ than an actual suggestion.

You would be better off opening an issue on Parsedown (...)

As there is yet an issue devoted to this (footnotes) problem, I think I will first subscribe to it in order to get a better view of the problem.

(...) ask for an option to disable this security validation if you wish to do so for compatibility reasons

This option would sound like a reasonable proposal indeed.

Thank you for the time spent responding to this thread.

You simply change the Parsedown version to the one before the security fixes (1.6.4) in composer.json and composer update --no-dev to install it.

After changing the version value to 1.6.4 and trying to update dependencies with update --no-dev command, I got now the following error message :

Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - erusev/parsedown 1.6.4 conflicts with roave/security-advisories[dev-master].
    - erusev/parsedown 1.6.4 conflicts with roave/security-advisories[dev-master].
    - Installation request for erusev/parsedown 1.6.4 -> satisfiable by erusev/parsedown[1.6.4].
    - Installation request for roave/security-advisories dev-master -> satisfiable by roave/security-advisories[dev-master].

I wonder if it could be related to this problem, where it is said that composer update command "_is now broken for everyone using roave/security-advisories_".

In order to use any vulnerable libraries, you need to disable roave/security-advisories. It's there to make sure that you cannot install known vulnerable libraries.

There is no ill effect removing the dependency, except that you will not get informed about vulnerabilities anymore.

So, as stated by @rhukster, who has suggested to downgrade to erusev/parsedown 1.6.4 to resolve the problem, and according to @mahagr, who has indicated that roave/security-advisories can be removed to correctly proceed, I have finally succeed to revert to a dependancies situation where footnotes are no longer broken.

Thanks to all.

Any chance of an actual step-by-step of the process, for those of us who are mere users of Grav, rather than developers. I don't mind going into the Terminal, but it would be very useful to have a detailed list of what to do.

Sure:

1. Edit composer.json in the root of Grav
2. Remove the security checking dependency:

"roave/security-advisories": "dev-master",`

1. Edit the parsedown entry to force the last pre-security fixed version:

"erusev/parsedown": "1.6.4",

1. From terminal run composer update --no-dev

NOTE: If you don't have composer installed, you can use the one bundled with Grav:

bin/composer.phar update --no-dev

Job done.

Very cool. Will report back in the morning, when I am less likely
to mess up.

On Tue, 20 Mar 2018, at 5:30 PM, Andy Miller wrote:

Sure:

1. Edit composer.json in the root of Grav

2. Remove the security checking dependency: "roave/security-
   advisories": "dev-master",`

3. Edit the parsedown entry to force the last pre-security fixed
   version: "erusev/parsedown": "1.6.4",

4. From terminal run composer update --no-dev> Job done.

— You are receiving this because you commented. Reply to this email
directly, view it on GitHub[1], or mute the thread[2].>

Links:

1. https://github.com/getgrav/grav/issues/1921#issuecomment-374664785
2. https://github.com/notifications/unsubscribe-auth/AEEYvEnbzeIlMOL6BZg-h9YQlp44j3rCks5tgS7DgaJpZM4Ssi4W

Thank you very much.

That worked perfectly locally.

When I went to do it at production (I sync only /user via github) I got
an error with Composer, because the .phar extension is not installed.
Rather than mess with php.ini (I'm on Dreamhost, so it is complicated) I
just copied up the /parsedown folder.
It works, but I was wondering, will there be problems in future? Am I
better off creating a new copy of Grav root (ignoring /user) via github?
Thanks again.

Jeremy

On Tue, 20 Mar 2018, at 5:30 PM, Andy Miller wrote:

Sure:

1. Edit composer.json in the root of Grav

2. Remove the security checking dependency: "roave/security-
   advisories": "dev-master",`

3. Edit the parsedown entry to force the last pre-security fixed
   version: "erusev/parsedown": "1.6.4",

4. From terminal run composer update --no-dev> Job done.

— You are receiving this because you commented. Reply to this email
directly, view it on GitHub[1], or mute the thread[2].>

Links:

1. https://github.com/getgrav/grav/issues/1921#issuecomment-374664785
2. https://github.com/notifications/unsubscribe-auth/AEEYvEnbzeIlMOL6BZg-h9YQlp44j3rCks5tgS7DgaJpZM4Ssi4W

There's actually a fix in Parsedown dev-master branch that addresses this issue. I've committed a fix using this version but will change it back to a proper version when properly released.

Sorry not quite clear @rhukster does this mean "wait a bit longer an all will be well"?

The fix is in Parsedown 1.8.0-beta1: https://github.com/erusev/parsedown/releases

So the next update of Grav with have the fix.