From 204709f4df0102bc72b8621e64e711da2cd01e92 Mon Sep 17 00:00:00 2001
From: Go MAEDA <maeda@farend.jp>
Date: Thu, 25 Aug 2022 13:47:04 +0000
Subject: [PATCH] Use the classes whitelist configured in application.rb
 instead of hardcoded classes (#37476).
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Patch by Jens Krämer.


git-svn-id: https://svn.redmine.org/redmine/trunk@21777 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/models/setting.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/models/setting.rb b/app/models/setting.rb
index aa27d9ecf..e2ff236be 100644
--- a/app/models/setting.rb
+++ b/app/models/setting.rb
@@ -108,7 +108,7 @@ class Setting < ActiveRecord::Base
     v = read_attribute(:value)
     # Unserialize serialized settings
     if available_settings[name]['serialized'] && v.is_a?(String)
-      v = YAML.safe_load(v, permitted_classes: [Symbol, ActiveSupport::HashWithIndifferentAccess])
+      v = YAML.safe_load(v, permitted_classes: Rails.configuration.active_record.yaml_column_permitted_classes)
       v = force_utf8_strings(v)
     end
     v = v.to_sym if available_settings[name]['format'] == 'symbol' && !v.blank?