Actions
Patch #41331
open
Gemfile patch: fix for handling (security related) ERB expressions in database.yml
Status:
New
Priority:
Normal
Assignee:
-
Category:
Ruby support
Target version:
-
Start date:
Due date:
% Done:
0%
Estimated time:
Description
Redmine installations that use ERB expressions (like `<% %>`) in their database.yml file may encounter issues during parsing.
To address this, we've applied a patch to the Gemfile that ensures compatibility when handling files containing such special characters, thus preventing common errors.
This patch modifies the way the database.yml is processed, ignoring lines that contain ERB expressions.
This is particularly useful for installations where the database configuration might contain sensitive data managed via Rails' encrypted credentials or other mechanisms that use ERB.
Index: Gemfile
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/Gemfile b/Gemfile
--- a/Gemfile (revision 277728afc979a7123eef8d1a8ac54d74c235c5fc)
+++ b/Gemfile (date 1727590462090)
@@ -61,7 +61,7 @@
require 'yaml'
database_file = File.join(File.dirname(__FILE__), "config/database.yml")
if File.exist?(database_file)
- yaml_config = ERB.new(IO.read(database_file)).result
+ yaml_config = ERB.new(IO.readlines(database_file).reject { |line| line =~ /<%.*%>/ }.join).result
database_config = YAML.respond_to?(:unsafe_load) ? YAML.unsafe_load(yaml_config) : YAML.load(yaml_config)
adapters = database_config.values.filter_map {|c| c['adapter']}.uniq
if adapters.any?
Files
Updated by
Actions