You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
With this patch, it changed the default YAML deserializer to use YAML.safe_load, which prevents deserialization of possibly dangerous objects. By default it does not allow all classes to be deserialized.
When creating a new Webpush notification, it returns an exception because of the symbolized keys that are required in the Registration parameters.
Describe the bug
Rails 6.1.6.1 introduces a fix for CVE-2022-32224 - https://discuss.rubyonrails.org/t/cve-2022-32224-possible-rce-escalation-bug-with-serialized-columns-in-active-record/81017
With this patch, it changed the default YAML deserializer to use
YAML.safe_load
, which prevents deserialization of possibly dangerous objects. By default it does not allow all classes to be deserialized.When creating a new Webpush notification, it returns an exception because of the symbolized keys that are required in the Registration parameters.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Notification is saved successfully.
System configuration (please complete the following information):
The text was updated successfully, but these errors were encountered: