From 1134cbcf058bc8f180e5398725eb0cbf135e049a Mon Sep 17 00:00:00 2001
From: Nguyen Hung Phuong <phuongnh@vn.fujitsu.com>
Date: Tue, 13 Feb 2018 14:59:49 +0700
Subject: [PATCH] Replaces yaml.load() with yaml.safe_load()

Yaml.load() return Python object may be dangerous if you receive a YAML
document from an untrusted source such as the Internet. The function
yaml.safe_load() limits this ability to simple Python objects like integers or
lists.

While we're there switch to https for the load so we can be more
confident this is 'correct' data

Reference:
https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html

Change-Id: I89adc358f1b3e934788a416b7ef7ea8bfc1a45db
---
 tools/list_ptls.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tools/list_ptls.py b/tools/list_ptls.py
index c944be4f..6b7375bd 100644
--- a/tools/list_ptls.py
+++ b/tools/list_ptls.py
@@ -20,7 +20,7 @@ import textwrap
 import requests
 import yaml
 
-PROJECTS_LIST = "http://git.openstack.org/cgit/openstack/governance/plain/reference/projects.yaml"  # noqa
+PROJECTS_LIST = "https://git.openstack.org/cgit/openstack/governance/plain/reference/projects.yaml"  # noqa
 
 
 def main():
@@ -44,7 +44,7 @@ def main():
     args = parser.parse_args()
 
     r = requests.get(args.project_list)
-    project_data = yaml.load(r.text)
+    project_data = yaml.safe_load(r.text)
 
     projects = args.project
     if not projects: