Use json.loads instead of eval() on the config

eval isn't safe or secure and shouldn't ever be used in this situation.
We can possibly use oslo.config for this, so this is only a partial fix
but might be good enough. This change removes a security issue.

Partial-Bug: #1783293
Change-Id: Id5c02d92ad7335c3d7d42ac353b88376cdb704fb
This commit is contained in:
Dougal Matthews 2018-07-24 09:38:09 +01:00
parent 8806b5b7d8
commit 0867becb8f
1 changed files with 2 additions and 1 deletions

View File

@ -19,6 +19,7 @@ Configuration options registration and useful routines.
"""
import itertools
import json
import os
from keystoneauth1 import loading
@ -335,7 +336,7 @@ notifier_opts = [
),
cfg.ListOpt(
'notify',
item_type=eval,
item_type=json.loads,
bounds=True,
help=_('List of publishers to publish notification.')
)