[DRE-maint] Redmine ActionView::Template::Error after recent Rails security update

Lucas Kanashiro kanashiro at debian.org
Thu Sep 8 16:30:18 BST 2022 

Hi Sven,

Em 06/09/2022 03:41, Sven Eckelmann escreveu:
> On Tuesday, 6 September 2022 06:12:21 CEST Jude Hungerford wrote:
> [...]
>> Looking in /var/log/redmine/default/production.log, I see the following
>> error message:
>>
>> """
>> Started GET "/redmine/" for 203.221.207.132 at 2022-09-06 10:27:56 +1000
>> Processing by WelcomeController#index as HTML
>>   Current user: jude (id=4)
>>   Rendering welcome/index.html.erb within layouts/base
>>   Rendered welcome/index.html.erb within layouts/base (3.5ms)
>> Completed 500 Internal Server Error in 19ms (ActiveRecord: 4.9ms)
>>
>> ActionView::Template::Error (unknown keywords: permitted_classes, aliases):
>>     11: <%= favicon %>
>>     12: <%= stylesheet_link_tag 'jquery/jquery-ui-1.11.0', 'application',
>> 'responsive', :media => 'all' %>
>>     13: <%= stylesheet_link_tag 'rtl', :media => 'all' if l(:direction) ==
>> 'rtl' %>
>>     14: <%= javascript_heads %>
>>     15: <%= heads_for_theme %>
>>     16: <%= call_hook :view_layouts_base_html_head %>
>>     17: <!-- page specific tags -->
>>
>> app/models/user_preference.rb:61:in `[]'
>> app/models/user_preference.rb:79:in `warn_on_leaving_unsaved'
>> app/helpers/application_helper.rb:1493:in `javascript_heads'
>> app/views/layouts/base.html.erb:14:in
>> `_app_views_layouts_base_html_erb__2757522946862800469_70311845404380'
>> lib/redmine/sudo_mode.rb:63:in `sudo_mode'
>> """
> This is also discussed [1] in the rails issue tracker. Two problematic pieces 
> (with following workarounds) are mentioned there.
>
>
> * ruby-psych
>
>     --- /usr/lib/ruby/2.5.0/psych.rb.old	2022-09-06 08:35:25.169690412 +0200
>     +++ /usr/lib/ruby/2.5.0/psych.rb	2022-09-06 08:27:29.875033328 +0200
>     @@ -544,3 +544,26 @@
>        end
>        # :startdoc:
>      end
>     +
>     +# Workaround for https://lists.debian.org/debian-backports/2022/09/msg00003.html
>     +module Psych
>     +  module_function
>     +
>     +  class << self
>     +    alias original_safe_load safe_load
>     +  end
>     +
>     +  def safe_load(yaml,
>     +                whitelist_classes = [],
>     +                whitelist_symbols = [],
>     +                arg_aliases = false,
>     +                filename = nil,
>     +                symbolize_names: false,
>     +                permitted_classes: whitelist_classes,
>     +                aliases: false)
>     +    original_safe_load(
>     +      yaml, permitted_classes, whitelist_symbols, aliases || arg_aliases, filename,
>     +      symbolize_names: symbolize_names,
>     +    )
>     +  end
>     +end
>
> * redmine
>
>     --- /usr/share/redmine/config/application.rb.old	2022-09-06 08:36:35.618677157 +0200
>     +++ /usr/share/redmine/config/application.rb	2022-09-06 08:37:33.415486699 +0200
>     @@ -20,6 +20,9 @@
>          config.active_record.store_full_sti_class = true
>          config.active_record.default_timezone = :local
>      
>     +    # Workaround for https://lists.debian.org/debian-backports/2022/09/msg00003.html
>     +    config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time, ActiveSupport::HashWithIndifferentAccess] 
>     +
>          # Set Time.zone default to the specified zone and make Active Record auto-convert to this zone.
>          # Run "rake -D time" for a list of tasks for finding time zone names. Default is UTC.
>          # config.time_zone = 'Central Time (US & Canada)'
>
> I hope these pointers help the actual maintainers to find a good solution

Thanks for all the information you provided. The rails maintainer is
working to fix that, this issue is not impacting only redmine but some
other packages. So let's wait for them before thinking about any redmine
specific change, I hope the fix will land soon.

Cheers!

-- 
Lucas Kanashiro

More information about the Pkg-ruby-extras-maintainers mailing list