[DRE-maint] Bug#1019238: ...a more upstream-like fix for the issue

Adi Kriegisch adi at kriegisch.at
Sun Sep 11 20:50:15 BST 2022 

Dear all,

according to the corresponding github issue[1], the source of the problem
is an old version of psych embedded into ruby2.5 (which already is eol
upstream). While we're all eagerly awaiting a backport of redmine for
bullseye, the issue can be mitigated by the following 3 steps:
1. install the patched version of yaml_column.rb:
  | mv /usr/share/rubygems-integration/all/gems/activerecord-5.2.2.1/lib/active_record/coders/yaml_column.rb \
  |    /usr/share/rubygems-integration/all/gems/activerecord-5.2.2.1/lib/active_record/coders/yaml_column.rb-orig
  | wget -O /usr/share/rubygems-integration/all/gems/activerecord-5.2.2.1/lib/active_record/coders/yaml_column.rb \
  |    https://raw.githubusercontent.com/skipkayhil/rails/5ab06e54b6868b249185e9fdf46349155665c54a/activerecord/lib/active_record/coders/yaml_column.rb
2. patch psych by overriding the class:
  | cat >> /usr/lib/ruby/2.5.0/psych.rb <<EOF
  | module Psych
  |   module_function
  | 
  |   class << self
  |     alias original_safe_load safe_load
  |   end
  | 
  |   def safe_load(yaml,
  |                 whitelist_classes = [],
  |                 whitelist_symbols = [],
  |                 arg_aliases = false,
  |                 filename = nil,
  |                 symbolize_names: false,
  |                 permitted_classes: whitelist_classes,
  |                 aliases: false)
  |     original_safe_load(
  |       yaml, permitted_classes, whitelist_symbols, aliases || arg_aliases, filename,
  |       symbolize_names: symbolize_names,
  |     )
  |   end
  | end
  | EOF
add permitted classes to /usr/share/redmine/config/application.rb:

config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time, ActiveSupport::HashWithIndifferentAccess]

After these changes redmine works again.

all the best,
    Adi

[1] https://github.com/rails/rails/issues/45590
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-ruby-extras-maintainers/attachments/20220911/f5d7d611/attachment.sig>

More information about the Pkg-ruby-extras-maintainers mailing list