From 88c13c6c65785b86cd883d81f73cf802935ea1ea Mon Sep 17 00:00:00 2001 From: chenaidong1 Date: Fri, 10 Mar 2017 16:12:15 +0800 Subject: [PATCH] Replace yaml.load() with yaml.safe_load() Yaml.load() return Python object may be dangerous if you receive a YAML document from an untrusted source such as the Internet. The function yaml.safe_load() limits this ability to simple Python objects like integers or lists. Reference: https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html Change-Id: I63ce1f2db4dce895f3027bcf5e47edb51b26d40b --- heat-config-docker-compose/install.d/hook-docker-compose.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/heat-config-docker-compose/install.d/hook-docker-compose.py b/heat-config-docker-compose/install.d/hook-docker-compose.py index 2e2b4d7..41219ef 100755 --- a/heat-config-docker-compose/install.d/hook-docker-compose.py +++ b/heat-config-docker-compose/install.d/hook-docker-compose.py @@ -79,7 +79,7 @@ def main(argv=sys.argv): # convert config to dict if not isinstance(config, dict): - config = ast.literal_eval(json.dumps(yaml.load(config))) + config = ast.literal_eval(json.dumps(yaml.safe_load(config))) os.chdir(proj)