Defect #37719
closed
Broken serialized columns, if saved time was with Rails 4.2
0%
Description
Broken serialized columns, if saved time was with Rails 4.2
All serialized columns are broken, if the data in database was saved with Rails 4.2 in older redmine versions.
This bug was introducted with #37452 and CVE-2022-32224
E.g. saved settings for all plugins are broken, if the last save was with Rails 4.2:
Psych::DisallowedClass (Tried to load unspecified class: ActionController::Parameters): app/models/setting.rb:111:in `value' app/models/setting.rb:125:in `[]' app/models/setting.rb:320:in `plugin_redmine_issue_templates' app/controllers/settings_controller.rb:78:in `plugin' lib/redmine/sudo_mode.rb:61:in `sudo_mode'
The easiest solution for this would be, to add "ActionController::Parameters" to config.active_record.yaml_column_permitted_classes
Maybe there is an other solution to convert ActionController::Parameters to ActiveSupport::HashWithIndifferentAccess for existing stored data, but I did not found one.
I think it is important to solve this bug before releasing 5.0.3, because lots of Redmine systems are affected by this problem.
My environment:
- Redmine Master (same bug with upcoming 5.0.3)
- PostgreSQL 14
- Ruby 3.1.2 (same problem with older ruby versions)
Files
Related issues
Updated by Go MAEDA over 1 year ago
Could you tell me the version of Redmine and Issue Templates Plugin?
I tried to reproduce the issue by migrating the database from the following environment to the current trunk but I could not.
Source environment: Redmine 3.4.13 (Rails 4.2.11.1), Redmine Issue Templates Plugin 0.2.1
Updated by Alexander Meindl over 1 year ago
Hi,
Did you press "Save" on plugin settings of Issue Templates Plugin?
With "Save" rails stores "ActionController::Parameters" in database (serialize). "Issue Templates Plugin" is only an example, this happens with all serialized columns, which stored data in database with Rails < 5.
I get this error with all plugins, this was just an example. If you update settings with Redmine 5.0.2, data in database uses ActiveSupport::HashWithIndifferentAccess and the problem would be fixed. But with current master, older serialized data with "ActionController::Parameters" could not read anymore because of Psych::DisallowedClass after updating to latest Redmine version.
PS: after update to latest Redmine I use the latest Issue Templates Plugin. I do not remember, which version was active on old redmine version - but I think it doesn't matter, problem exists with all versions.
Updated by Alexander Meindl over 1 year ago
Hi again,
I found some infos to this problem on https://www.redmineup.com/pages/help/troubleshooting/psych-disallowed-class-fix, too.
Btw. not only settings are affected, but any serialized columns.
Updated by Go MAEDA over 1 year ago
- Related to Patch #37452: Update Rails to 6.1.7 added
Updated by Go MAEDA over 1 year ago
- Category set to Plugin API
- Target version set to 4.2.8
Thank you for providing additional information.
Setting the target version to 5.0.3.
Updated by Go MAEDA over 1 year ago
- Status changed from New to Closed
- Assignee set to Go MAEDA
- Target version deleted (
5.0.3)
Committed the fix as a part of #37452. Thank you for your contribution.
Updated by Vincent Robert over 1 year ago
Can you please apply this fix to the 4.2-stable branch?
This way the bug can be fixed in next release 4.2.8. Thank you.
Updated by Go MAEDA over 1 year ago
- Related to Patch #37465: Update Rails to 5.2.8.1 added
Updated by Go MAEDA over 1 year ago
Vincent Robert wrote:
Can you please apply this fix to the 4.2-stable branch?
This way the bug can be fixed in next release 4.2.8. Thank you.
Done in r21871. Thank you for pointing it out.