Plugins: change Deface overrides that use :partial

Dominic_Cleal2 · February 11, 2016, 3:04pm

Plugin developers should check any use of Deface overrides that use
:partial to render part of a view. If it uses "…/" and/or the partial
is stored under app/overrides/ or similar, you need to change it.

Security updates to Rails (4.1.14.1 and 3.2.22.1) prevent ActionView
from rendering any partial that isn't beneath a registered view
directory, i.e. app/views/. A couple of plugins have been found to put
their partials in app/overrides/ and reference them like this:

Deface::Override.new(…, :partial => '…/overrides/foo')

This will fail when Foreman's updated to the new version of Rails, so
you need to either move the files under app/views/ or register
app/overrides/ (or preferably a subdir) as a second location in the
engine definition.

Rails on develop is in the process of being updated (#12873) and I
intend to make the same update to 1.10-stable via #13372.

Katello's being fixed under ticket #13592 and foreman_remote_execution
under ticket #13666. I've checked a number of plugin source trees, but
maintainers should double-check their own.

Cheers,

···

-- Dominic Cleal dominic@cleal.org

dLobatog · February 12, 2016, 9:41am

I wonder if you can detect this on the 4.1.14 patch, change it to
/app/views and print a deprecation message instead, like we do with
plugins and the :after => finisher_hook in
https://github.com/theforeman/foreman/blob/develop/config/initializers/assets_paths.rb

···

On 02/11, Dominic Cleal wrote: > Plugin developers should check any use of Deface overrides that use > :partial to render part of a view. If it uses "../" and/or the partial > is stored under app/overrides/ or similar, you need to change it. >

–
Daniel Lobato Garcia

@dLobatog
blog.daniellobato.me
daniellobato.me

GPG: http://keys.gnupg.net/pks/lookup?op=get&search=0x7A92D6DD38D6DE30
Keybase: https://keybase.io/elobato

lzap · February 12, 2016, 4:28pm

> Katello's being fixed under ticket #13592 and foreman_remote_execution
> under ticket #13666. I've checked a number of plugin source trees, but
> maintainers should double-check their own.

Thanks for the heads up!

···

-- Later, Lukas #lzap Zapletal

Dominic_Cleal2 · February 12, 2016, 10:46am

>> Plugin developers should check any use of Deface overrides that
>> use :partial to render part of a view. If it uses "…/" and/or
>> the partial is stored under app/overrides/ or similar, you need
>> to change it.
>>
>
> I wonder if you can detect this on the 4.1.14 patch, change it to
> /app/views and print a deprecation message instead, like we do
> with plugins and the :after => finisher_hook in
> https://github.com/theforeman/foreman/blob/develop/config/initializers/assets_paths.rb

I'm
>
not sure that it's worth it in this case. We'd probably have to
monkey patch Deface as plugins are calling Deface::Override.new
directly, and since it's not a dependency of Foreman it'd need to be
optional. We'd also have to register a new view path for the plugin
automatically based on where the partial might be located.

I don't think even the majority of the plugins that do use Deface are
affected by the problem.

···

On 12/02/16 09:41, Daniel Lobato Garcia wrote: > On 02/11, Dominic Cleal wrote:

–
Dominic Cleal
dominic@cleal.org