Project

General

Profile

Defect #42875

Updated by Go MAEDA about 17 hours ago

When using Rack 3.1.14 or later, saving a workflow that contains many statuses results in a "Page not found" error, and the workflow is not saved. 

 *Steps to reproduce:* 

 1. Update Rack to the latest version: 
 <pre> 
 bundle update rack 
 </pre> 

 2. Load default fixtures: 
 <pre> 
 bin/rake db:fixtures:load 
 </pre> 

 3. Add 40 issue statuses: 
 <pre> 
 bin/rails r '40.times {|i| IssueStatus.create!(name: i.to_s)}' 
 </pre> 

 4. Open the workflow edit page (/workflows/edit) in a browser. 

 5. Uncheck "Only display statuses that are used by this tracker", and click the "Edit" button. 

 6. Without making any changes, click the "Save" button. 

 -> A 404 Page Not Found error occurs, and the workflow is not saved. 

 Error message in the log: 

 <pre> 
 Started POST "/workflows/update" for 127.0.0.1 at 2025-06-16 10:47:24 +0900 

 ActionController::RoutingError (No route matches [POST] "/workflows/update"): 
 </pre> 

 *Cause:* 

 Starting in Rack 3.1.14, a security fix for "CVE-2025-46727":https://github.com/rack/rack/security/advisories/GHSA-gjh7-p2fx-99vx added a limit on the number of query parameters allowed in a request ("default: 4096":https://github.com/rack/rack/commit/79ab0b9794a529f26a9a5eba10077f5ee6a097ce#diff-69c5b6856deb050ba393562673e0cc863d520360df07503081064f531e852bc2R57). 

 The workflow edit page generates a large number of parameters depending on the number of statuses. The number of parameters grows quadratically with the number of statuses. 

 For example, in Redmine 6.0, the number of parameters when all checkboxes are shown and checked can be calculated as: 

 <pre> 
 6 * IssueStatus.count ** 2 - 4 * IssueStatus.count + 5 
 </pre> 

 * With 27 statuses: 
 -> 4271 parameters (exceeds 4096 limit) 
 * With 26 statuses: 
 -> 3957 parameters (just under the limit) 

 So, the form data is silently discarded by Rack, and the routing fails. 

 In practice, not all checkboxes are checked, so the limit may be reached with more than 27 statuses — but 40 is enough to reproduce the issue reliably. 

 *Possible workaround:* 

 Increase the parameter limit by setting the @RACK_QUERY_PARSER_PARAMS_LIMIT@ environment variable in config/boot.rb. 

 For example, the following change increases the limit to 65536, which allows handling workflows with up to 104 issue statuses (@6 * 104    ** 2 - 4 * 104 + 5 => 64485@) when all transitions are enabled. 
 
 <pre><code class="diff"> 
 diff --git a/config/boot.rb b/config/boot.rb 
 index 7479b5aff..570830c34 100644 
 --- a/config/boot.rb 
 +++ b/config/boot.rb 
 @@ -1,5 +1,7 @@ 
  # frozen_string_literal: true 
 
 +ENV['RACK_QUERY_PARSER_PARAMS_LIMIT'] = '65536' 
 + 
  # Set up gems listed in the Gemfile. 
  ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../Gemfile', __FILE__) 

 </code></pre>

Back