From 668dd098a462b94ff9ecad5e7f6d88721ddc3afd Mon Sep 17 00:00:00 2001 From: Nguyen Hung Phuong Date: Tue, 13 Feb 2018 14:21:14 +0700 Subject: [PATCH] Replaces yaml.load() with yaml.safe_load() Yaml.load() return Python object may be dangerous if you receive a YAML document from an untrusted source such as the Internet. The function yaml.safe_load() limits this ability to simple Python objects like integers or lists. Reference: https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html Change-Id: I8cff003dad2d0b4ca19b12d45cb5538f683192cd --- kb_dib/elements/kloudbuster/post-install.d/99-cloudcfg-edit | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kb_dib/elements/kloudbuster/post-install.d/99-cloudcfg-edit b/kb_dib/elements/kloudbuster/post-install.d/99-cloudcfg-edit index 3e4647a..c17fe08 100755 --- a/kb_dib/elements/kloudbuster/post-install.d/99-cloudcfg-edit +++ b/kb_dib/elements/kloudbuster/post-install.d/99-cloudcfg-edit @@ -5,7 +5,7 @@ cloudcfg = "/etc/cloud/cloud.cfg" user = "cloud-user" with open(cloudcfg) as f: - cfg = yaml.load(f) + cfg = safe_yaml.load(f) try: if cfg['system_info']['default_user']['name']: