Ruby on Rails官网安全更新(2022-11-23)

来源:Ruby on Rails官网 发布日期:2022-11-23 阅读次数:16

基本信息

发布日期:2022-11-23(官方当地时间)

更新类型: 安全更新

更新版本: v5.2.8.1

感知时间:2022-11-24 03:10:07

风险等级: 未知

情报贡献: TSRC

更新标题

安全更新

更新详情

## Active Support

* No changes.



## Active Model

* No changes.



## Active Record

* Change ActiveRecord::Coders::YAMLColumn default to safe_load

This adds two new configuration options The configuration options are as
follows:

* `config.active_storage.use_yaml_unsafe_load`

When set to true, this configuration option tells Rails to use the old
"unsafe" YAML loading strategy, maintaining the existing behavior but leaving
the possible escalation vulnerability in place. Setting this option to true
is *not* recommended, but can aid in upgrading.

* `config.active_record.yaml_column_permitted_classes`

The "safe YAML" loading method does not allow all classes to be deserialized
by default. This option allows you to specify classes deemed "safe" in your
application. For example, if your application uses Symbol and Time in
serialized data, you can add Symbol and Time to the allowed list as follows:

```
config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]
```

[CVE-2022-32224]



## Action View

* No changes.



## Action Pack

* No changes.



## Active Job

* No changes.



## Action Mailer

* No changes.



## Action Cable

* No changes.



## Active Storage

* No changes.



## Railties

* No changes.

软件描述

Ruby on Rails 是一个可以使你开发、部署、维护 web 应用程序变得简单的框架。

CVE编号

USRC分析

暂无

业界资讯

暂无