Open olleolleolle opened 2 years ago
schlumpfit
commented
2 years ago Hi @olleolleolle,
it does not use unsafe_load, but should be compatible with psych <4 as well as with psych > 4. The solution is copied from rails...
https://github.com/cschiewek/devise_ldap_authenticatable/pull/276
Edit: As a workaround I am just using gem 'psych', '< 4.0'
net1957
commented
2 years ago would be nice to have a new release with @schlumpfit proposal. with ruby 3.0.4 this problem is present in multiples applications that are using yaml aliases
Ivanov-Anton
commented
1 year ago same problem
Ivanov-Anton
commented
1 year ago seems like this issue has already fixes in the psych repo follow the link below
net1957
commented
1 year ago yes, but this gem was not modified to allow aliases
Ivanov-Anton
commented
1 year ago What do you suggest to me?
Maybe do not use aliases in the LDAP YML file? Or something else?
net1957
commented
1 year ago pass aliases: true to YAML.safe_load
see https://github.com/cschiewek/devise_ldap_authenticatable/pull/276
Informed by https://github.com/ruby/psych/issues/533#issuecomment-1023561867, this Issue notes the availability of the YAML.unsafe_load method, in Psych 4.0.
YAML.unsafe_loadif available, ORYAML.safe_loadif available, enabling aliases and all the permitted classesYAML.loadif those methods aren't available (lower versions of Psych)Location of use: https://github.com/cschiewek/devise_ldap_authenticatable/blob/default/lib/devise_ldap_authenticatable/ldap/connection.rb