From b6c218deed9fcb9b4081e0a98f081ecf2558cb20 Mon Sep 17 00:00:00 2001
From: Go MAEDA <maeda@farend.jp>
Date: Wed, 20 Jul 2022 03:05:10 +0000
Subject: [PATCH] Don't use YAML.unsafe_load (#37450).

Patch by Go MAEDA.


git-svn-id: https://svn.redmine.org/redmine/trunk@21722 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/models/setting.rb | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/app/models/setting.rb b/app/models/setting.rb
index a7b763503..53b88bcad 100644
--- a/app/models/setting.rb
+++ b/app/models/setting.rb
@@ -108,8 +108,7 @@ class Setting < ActiveRecord::Base
     v = read_attribute(:value)
     # Unserialize serialized settings
     if available_settings[name]['serialized'] && v.is_a?(String)
-      # YAML.load works as YAML.safe_load if Psych >= 4.0 is installed
-      v = YAML.respond_to?(:unsafe_load) ? YAML.unsafe_load(v) : YAML.load(v)
+      v = YAML.safe_load(v, permitted_classes: [ActiveSupport::HashWithIndifferentAccess])
       v = force_utf8_strings(v)
     end
     v = v.to_sym if available_settings[name]['format'] == 'symbol' && !v.blank?
-- 
2.39.5