Used yaml.safe_load instead of yaml.load, because safety should be the default.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@17062 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Aymeric Augustin 2011-11-01 20:07:42 +00:00
parent af1893c4ff
commit d71b4309ca
3 changed files with 15 additions and 5 deletions

View File

@ -51,6 +51,6 @@ def Deserializer(stream_or_string, **options):
stream = StringIO(stream_or_string) stream = StringIO(stream_or_string)
else: else:
stream = stream_or_string stream = stream_or_string
for obj in PythonDeserializer(yaml.load(stream), **options): for obj in PythonDeserializer(yaml.safe_load(stream), **options):
yield obj yield obj

View File

@ -743,6 +743,16 @@ you can easily achieve the same by overriding the `open` method, e.g.::
def open(self, name, mode='rb'): def open(self, name, mode='rb'):
return Spam(open(self.path(name), mode)) return Spam(open(self.path(name), mode))
YAML deserializer now uses ``yaml.safe_load``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
``yaml.load`` is able to construct any Python object, which may trigger
arbitrary code execution if you process a YAML document that comes from an
untrusted source. This feature isn't necessary for Django's YAML deserializer,
whose primary use is to load fixtures consisting of simple objects. Even though
fixtures are trusted data, for additional security, the YAML deserializer now
uses ``yaml.safe_load``.
.. _deprecated-features-1.4: .. _deprecated-features-1.4:
Features deprecated in 1.4 Features deprecated in 1.4

View File

@ -425,7 +425,7 @@ else:
@staticmethod @staticmethod
def _validate_output(serial_str): def _validate_output(serial_str):
try: try:
yaml.load(StringIO(serial_str)) yaml.safe_load(StringIO(serial_str))
except Exception: except Exception:
return False return False
else: else:
@ -435,7 +435,7 @@ else:
def _get_pk_values(serial_str): def _get_pk_values(serial_str):
ret_list = [] ret_list = []
stream = StringIO(serial_str) stream = StringIO(serial_str)
for obj_dict in yaml.load(stream): for obj_dict in yaml.safe_load(stream):
ret_list.append(obj_dict["pk"]) ret_list.append(obj_dict["pk"])
return ret_list return ret_list
@ -443,10 +443,10 @@ else:
def _get_field_values(serial_str, field_name): def _get_field_values(serial_str, field_name):
ret_list = [] ret_list = []
stream = StringIO(serial_str) stream = StringIO(serial_str)
for obj_dict in yaml.load(stream): for obj_dict in yaml.safe_load(stream):
if "fields" in obj_dict and field_name in obj_dict["fields"]: if "fields" in obj_dict and field_name in obj_dict["fields"]:
field_value = obj_dict["fields"][field_name] field_value = obj_dict["fields"][field_name]
# yaml.load will return non-string objects for some # yaml.safe_load will return non-string objects for some
# of the fields we are interested in, this ensures that # of the fields we are interested in, this ensures that
# everything comes back as a string # everything comes back as a string
if isinstance(field_value, basestring): if isinstance(field_value, basestring):