From 0867becb8f0f24a094e28c569cc7d1b068c0dd2f Mon Sep 17 00:00:00 2001
From: Dougal Matthews <dougal@redhat.com>
Date: Tue, 24 Jul 2018 09:38:09 +0100
Subject: [PATCH] Use json.loads instead of eval() on the config

eval isn't safe or secure and shouldn't ever be used in this situation.
We can possibly use oslo.config for this, so this is only a partial fix
but might be good enough. This change removes a security issue.

Partial-Bug: #1783293
Change-Id: Id5c02d92ad7335c3d7d42ac353b88376cdb704fb
---
 mistral/config.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/mistral/config.py b/mistral/config.py
index deb4107ab..b0a4393c5 100644
--- a/mistral/config.py
+++ b/mistral/config.py
@@ -19,6 +19,7 @@ Configuration options registration and useful routines.
 """
 
 import itertools
+import json
 import os
 
 from keystoneauth1 import loading
@@ -335,7 +336,7 @@ notifier_opts = [
     ),
     cfg.ListOpt(
         'notify',
-        item_type=eval,
+        item_type=json.loads,
         bounds=True,
         help=_('List of publishers to publish notification.')
     )