serialization - Ensuring genuine parameters doesn't trigger "You tried to assign already serialized content to value. This is disabled due to security issues." -

-

i've created form builder in rails allows users construct own forms. many of form inputs supply straight strings rails (e.g. text field). provide arrays of values (like date choosers). right i'm storing values these in serialised column. works well, , lets me re-display custom forms when error occurs minimal effort. problem entered:

--------

into text field , activerecord raised error saying: you tried assign serialized content value. disabled due security issues.

i string looks yaml, i'm wondering if there's more graceful way around user entering bunch of dashes indicate had no phone number. i'd fail gracefully , perhaps drop value or store serialised string if there such thing.

in rails 3.0.20 lts they've patched code check yaml strings being sent serialised columns. i've overridden assignment method on model fix string instead of raising error:

module activerecord   module attributemethods     module write       extend activesupport::concern        included         attribute_method_suffix "="       end        module classmethods         protected           def define_method_attribute=(attr_name)             if self.serialized_attributes[attr_name]               generated_attribute_methods.send(:define_method, "#{attr_name}=") |new_value|                 if new_value.is_a?(string) , new_value =~ /^---/                   raise activerecorderror, "you tried assign serialized content #{attr_name}. disabled due security issues."                 end                 write_attribute(attr_name, new_value)               end             elsif attr_name =~ /^[a-za-z_]\w*[!?=]?$/               generated_attribute_methods.module_eval("def #{attr_name}=(new_value); write_attribute('#{attr_name}', new_value); end", __file__, __line__)             else               generated_attribute_methods.send(:define_method, "#{attr_name}=") |new_value|                 write_attribute(attr_name, new_value)               end             end           end       end        ...

i wanted use super(new_value) here allow original method make assignment unfortunately seemed bypassing check (thus bypassing security measure too).

  def value=(new_value)     if new_value.is_a?(string) , new_value =~ /^---/       new_value.gsub!(/^-+/, '-')     end     write_attribute(:value, new_value)   end

Comments

Post a Comment

Popular posts from this blog

javascript - how to protect a flash video from refresh? -

-
<!doctype html> <html> <head> <meta http-equiv="content-type" content="text/html; charset=utf-8"> <title>flash video refresh</title> </head> <body> <div id="playerzone"><embed height="496" width="580" flashvars="flvid=19742822&amp;createtime=2012-4-19 13:46:33" wmode="opaque" allowscriptaccess="always" allowfullscreen="true" quality="high" bgcolor="#000000" name="player" id="player" src="swf/mine.swf" type="application/x-shockwave-flash"></div> <a onclick="return test();" id="test">click me popup div,and hide scrollbar</a> </body> the code upon: for example,when click a#test button,popup div,it's no problem,but want hide scrollbar while div popup. i used $('html').css('overflow','hidden') in...
Read more

visual studio 2010 - Connect to informix database windows form application -

-
i trying figure out how connect ibm informix database. have been doing research , have found threads 5 years ago examples not working. i have installed latest sdk ibm informix. i have included ibm.data.informix.dll references in project. i have included using ibm.data.informix; i adding button , on click testing conenction. debug error "sql0035n file "c:\users\adam\documents\visual studio 2010\projects\test\test\msg\en_us\db2nmp.xml" cannot opened." this file not exist , dont see anywhere in program files (x86)\ibm informix client sdk directory. my on click code is private void button1_click(object sender, eventargs e) { const string host = "192.168.obfuscated"; const string servicenum = "1525"; //port? const string server = "serverobfuscated"; const string database = "dbobfuscatedy"; const string user = "myusername"; const string password = ...
Read more

android - Associate same looper with different threads -

-
Image
in application, want create multiple threads working on single queue. create queue know need call looper.prepare() . i want other threads create should associated looper created first thread, how can achieve this? use 1 of java thread safe queue class java.util.concurrent package instead of looper achieve goal. it's more common practice. share queue between threads , post task queue entry 1 thread can entry thread. blockingqueue can - in 1 thread call take() , block thread until thread put() entry queue. that's all. producer consumer pattern example blockingqueue or concurrentlinkedqueue about blockingqueue
Read more