Defect #37719
closed
Broken serialized columns, if saved time was with Rails 4.2
0%
Description
Broken serialized columns, if saved time was with Rails 4.2
All serialized columns are broken, if the data in database was saved with Rails 4.2 in older redmine versions.
This bug was introducted with #37452 and CVE-2022-32224
E.g. saved settings for all plugins are broken, if the last save was with Rails 4.2:
Psych::DisallowedClass (Tried to load unspecified class: ActionController::Parameters): app/models/setting.rb:111:in `value' app/models/setting.rb:125:in `[]' app/models/setting.rb:320:in `plugin_redmine_issue_templates' app/controllers/settings_controller.rb:78:in `plugin' lib/redmine/sudo_mode.rb:61:in `sudo_mode'
The easiest solution for this would be, to add "ActionController::Parameters" to config.active_record.yaml_column_permitted_classes
Maybe there is an other solution to convert ActionController::Parameters to ActiveSupport::HashWithIndifferentAccess for existing stored data, but I did not found one.
I think it is important to solve this bug before releasing 5.0.3, because lots of Redmine systems are affected by this problem.
My environment:
- Redmine Master (same bug with upcoming 5.0.3)
- PostgreSQL 14
- Ruby 3.1.2 (same problem with older ruby versions)
Files
Related issues
Updated by 
Updated by 
Updated by