Redis plugin - Sedis pool bug

[dontgitit]

Hi,

The current version of sedis has a critical bug - it doesn't release broken objects back to the jedis pool correctly. This has the side effect of new calls returning results of previous calls; essentially you get "random" output. This is very bad.

There's a PR with a fix: pk11/sedis#14

Any chance you can either fork sedis and incorporate that PR, or just get rid of the dependency on sedis? This bug has very bad implications for anything that uses RedisCacheApi, especially things surrounding security/authentication, such as SecureSocial or other plugins.

Here's a more detailed issue with the incorrect jedis pool usage: redis/jedis#909
It also details how to reproduce getting incorrect output from redis: (redis/jedis#909 (comment))

Thanks!

[gmethvin]

This library hasn't been supported or actively maintained for some time (as indicated in the readme). I would recommend one of the actively-maintained redis plugins:

• https://github.com/KarelCemus/play-redis
• https://github.com/lifeway/play-redis

https://github.com/lifeway/play-redis is a fork of this one, so you may want to ask them to make this change.

The best strategy would probably be to update the existing cache implementations to use Jedis directly.

If you sent a PR with the fix, it would probably not be much work for us to merge it and cut a new release, so I suppose we could do that given the severity of the bug. But you would be better off starting with something actively maintained. As it is we can't promise timely updates if there are other critical bugs in the future.

[takezoe]

Lifeway version seems to have a same issue and it's maintained no longer.

So we released a forked version of this plugin with fix for this issue by using Jedis directly as @gmethvin mentioned. If there is someone still use this plugin with Play 2.5, can move to our version to avoid this issue. Also we have a plan to provide Play 2.6 version of the plugin in the future.
https://github.com/bizreach/play-redis