Defect #37814
closed
Plugins that serialize Date or Time objects cause Psych::DisallowedClass exception
0%
Description
I'm upgrading Redmine 4.2.7 to 4.2.8 (docker images) and cannot view any page after user login was done on website.
Upgraded web UI renders that for me:
Internal error An error occurred on the page you were trying to access. If you continue to experience problems please contact your Redmine administrator for assistance. If you are the Redmine administrator, check your log files for details about the error. Back
Docker logs:
redmine_1 | I, [2022-10-22T17:11:52.640849 #1] INFO -- : Processing by WelcomeController#index as HTML redmine_1 | I, [2022-10-22T17:11:52.659002 #1] INFO -- : Current user: XXX (id=YY) redmine_1 | I, [2022-10-22T17:11:52.687604 #1] INFO -- : Rendering welcome/index.html.erb within layouts/base redmine_1 | I, [2022-10-22T17:11:52.712666 #1] INFO -- : Rendered collection of news/_news.html.erb [5 times] (22.0ms) redmine_1 | I, [2022-10-22T17:11:52.716957 #1] INFO -- : Rendered welcome/index.html.erb within layouts/base (29.2ms) redmine_1 | I, [2022-10-22T17:11:52.719162 #1] INFO -- : Completed 500 Internal Server Error in 78ms (ActiveRecord: 21.9ms) redmine_1 | F, [2022-10-22T17:11:52.719874 #1] FATAL -- : redmine_1 | F, [2022-10-22T17:11:52.719920 #1] FATAL -- : ActionView::Template::Error (Tried to load unspecified class: Date): redmine_1 | F, [2022-10-22T17:11:52.720092 #1] FATAL -- : 11: <%= favicon %> redmine_1 | 12: <%= stylesheet_link_tag 'jquery/jquery-ui-1.13.2', 'tribute-5.1.3', 'application', 'responsive', :media => 'all' %> redmine_1 | 13: <%= stylesheet_link_tag 'rtl', :media => 'all' if l(:direction) == 'rtl' %> redmine_1 | 14: <%= javascript_heads %> redmine_1 | 15: <%= heads_for_theme %> redmine_1 | 16: <%= heads_for_auto_complete(@project) %> redmine_1 | 17: <%= call_hook :view_layouts_base_html_head %> redmine_1 | F, [2022-10-22T17:11:52.720259 #1] FATAL -- : redmine_1 | F, [2022-10-22T17:11:52.720405 #1] FATAL -- : app/models/user_preference.rb:69:in `[]' redmine_1 | app/models/user_preference.rb:87:in `warn_on_leaving_unsaved' redmine_1 | app/helpers/application_helper.rb:1713:in `javascript_heads' redmine_1 | app/views/layouts/base.html.erb:14:in `_app_views_layouts_base_html_erb__593409969835306285_78780' redmine_1 | lib/redmine/sudo_mode.rb:61:in `sudo_mode'
I'm using MySQL 5.7 as a database.
I have no installed plugins.
I reproduce that error on default configuration: block mapping my configuration to container.
Migrations were redone manually, as described redmineupgrade (https://www.redmine.org/projects/redmine/wiki/Redmineupgrade), step 4 & 5
Now I rolled back to 4.2.7 version, but it looks like I cannot receive any upgrade. That sounds bad.
Files
Updated by Alex Overchenko about 2 years ago
- I'm using official docker images: https://hub.docker.com/_/redmine
- I migrated local instance to 5.0.2 version - and all work nice. After upgrading to the latest 5.0.3 I have the same error, as described
- I'm opening root site page for bug reproducing: http://localhost:3000/
Updated by Go MAEDA about 2 years ago
Could you try adding "Date" to yaml_column_permitted_classes in config/application.rb as follows and see if it solves the problem?
diff --git a/config/application.rb b/config/application.rb
index 1b22feb12..82a0e18ca 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -34,6 +34,7 @@ module RedmineApp
config.active_record.default_timezone = :local
config.active_record.yaml_column_permitted_classes = [
Symbol,
+ Date,
ActiveSupport::HashWithIndifferentAccess,
ActionController::Parameters
]
Updated by Alex Overchenko about 2 years ago
Go MAEDA wrote:
Could you try adding "Date" to yaml_column_permitted_classes in config/application.rb as follows and see if it solves the problem?
[...]
Thanks, Go MAEDA
That manual changes helps to start 4.2.8 & 5.0.3 versions.
Is that changes will be available in 5.0.4, 4.2.9 & next versions?
With regards,
Alex
Updated by Felix Schäfer about 2 years ago
We (Planio) have also observed this with certain plugins and certain of our internal additions saving Date or Time objects in serialised fields such as Settings and UserPreferences, plugin settings and so on.
We would propose adding the Date and Time classes to the list of permitted classes. Those classes were shown in the examples for the mitigation of CVE-2022-32224 and are permitted by default in the safe_yaml gem. They are also integral parts of the standard yaml capabilities and not "added" as tags or any other yaml extension.
diff --git a/config/application.rb b/config/application.rb
index 1b22feb12e..5e93df122d 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -33,6 +33,8 @@ module RedmineApp
config.active_record.store_full_sti_class = true
config.active_record.default_timezone = :local
config.active_record.yaml_column_permitted_classes = [
+ Date,
+ Time,
Symbol,
ActiveSupport::HashWithIndifferentAccess,
ActionController::Parameters
Updated by Go MAEDA about 2 years ago
- Subject changed from Redmine Internal error 500 to Plugins that serialize Date or Time objects cause Psych::DisallowedClass exception
- Category set to Rails support
- Target version set to 4.2.9
Felix Schäfer wrote:
We would propose adding the
DateandTimeclasses to the list of permitted classes. Those classes were shown in the examples for the mitigation of CVE-2022-32224 and are permitted by default in thesafe_yamlgem. They are also integral parts of the standard yaml capabilities and not "added" as tags or any other yaml extension.[...]
Thank you for suggesting the change. Setting the target version to 4.2.9.
Updated by Go MAEDA about 2 years ago
- Status changed from New to Closed
- Assignee set to Go MAEDA
- Resolution set to Fixed
Committed the fix suggested in #37814#note-4.
Alex Overchenko wrote:
That manual changes helps to start 4.2.8 & 5.0.3 versions.
Is that changes will be available in 5.0.4, 4.2.9 & next versions?