Use the classes whitelist configured in application.rb instead of hardcoded classes (#37476).

Patch by Jens Krämer. git-svn-id: https://svn.redmine.org/redmine/trunk@21777 e93f8b46-1217-0410-a6f0-8f06a7374b81
2026-02-01 03:57:15 +00:00 · 2022-08-25 13:47:04 +00:00 · 2022-08-25 13:47:04 +00:00 · 204709f4df
commit 204709f4df
parent 6b4a33b406
1 changed files with 1 additions and 1 deletions
--- a/app/models/setting.rb
+++ b/app/models/setting.rb
@ -108,7 +108,7 @@ class Setting < ActiveRecord::Base
    v = read_attribute(:value)
    # Unserialize serialized settings
    if available_settings[name]['serialized'] && v.is_a?(String)
-      v = YAML.safe_load(v, permitted_classes: [Symbol, ActiveSupport::HashWithIndifferentAccess])
+      v = YAML.safe_load(v, permitted_classes: Rails.configuration.active_record.yaml_column_permitted_classes)
      v = force_utf8_strings(v)
    end
    v = v.to_sym if available_settings[name]['format'] == 'symbol' && !v.blank?