Psych::DisallowedClass exception when loading default plugin settings (#37450, #37476).

Contributed by Dmitry Makurin.


git-svn-id: https://svn.redmine.org/redmine/trunk@21725 e93f8b46-1217-0410-a6f0-8f06a7374b81

2 files changed, 8 insertions, 1 deletions

diff --git a/app/models/setting.rb b/app/models/setting.rb
index 53b88bcad..aa27d9ecf 100644
--- a/app/models/setting.rb
+++ b/app/models/setting.rb
@@ -108,7 +108,7 @@ class Setting < ActiveRecord::Base
     v = read_attribute(:value)
     # Unserialize serialized settings
     if available_settings[name]['serialized'] && v.is_a?(String)
-      v = YAML.safe_load(v, permitted_classes: [ActiveSupport::HashWithIndifferentAccess])
+      v = YAML.safe_load(v, permitted_classes: [Symbol, ActiveSupport::HashWithIndifferentAccess])
       v = force_utf8_strings(v)
     end
     v = v.to_sym if available_settings[name]['format'] == 'symbol' && !v.blank?
diff --git a/test/unit/lib/redmine/plugin_test.rb b/test/unit/lib/redmine/plugin_test.rb
index 54394ab57..a5a1b2aa3 100644
--- a/test/unit/lib/redmine/plugin_test.rb
+++ b/test/unit/lib/redmine/plugin_test.rb
@@ -196,6 +196,13 @@ class Redmine::PluginTest < ActiveSupport::TestCase
     end
   end
 
+  def test_default_settings
+    @klass.register(:foo_plugin) {settings :default => {'key1' => 'abc', :key2 => 123}}
+    h = Setting.plugin_foo_plugin
+    assert_equal 'abc', h['key1']
+    assert_equal 123, h[:key2]
+  end
+
   def test_settings_warns_about_possible_partial_collision
     @klass.register(:foo_plugin) {settings :partial => 'foo/settings'}
     Rails.logger.expects(:warn)