From bb79184e6982c2c452a19144f3b37afce6360ddb Mon Sep 17 00:00:00 2001
From: chenaidong1 <chen.aidong@zte.com.cn>
Date: Fri, 10 Mar 2017 16:18:30 +0800
Subject: [PATCH] Replace yaml.load() with yaml.safe_load()

Yaml.load() return Python object may be dangerous if
you receive a YAML document from an untrusted source
such as the Internet. The function yaml.safe_load()
limits this ability to simple Python objects like
integers or lists.

Reference:
https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html

Change-Id: Ib2bfd11354c6b35c90938c1075729dc7028236a3
---
 .../heat-config-docker-compose/install.d/hook-docker-compose.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hot/software-config/elements/heat-config-docker-compose/install.d/hook-docker-compose.py b/hot/software-config/elements/heat-config-docker-compose/install.d/hook-docker-compose.py
index 2e2b4d77..41219efb 100755
--- a/hot/software-config/elements/heat-config-docker-compose/install.d/hook-docker-compose.py
+++ b/hot/software-config/elements/heat-config-docker-compose/install.d/hook-docker-compose.py
@@ -79,7 +79,7 @@ def main(argv=sys.argv):
 
     # convert config to dict
     if not isinstance(config, dict):
-        config = ast.literal_eval(json.dumps(yaml.load(config)))
+        config = ast.literal_eval(json.dumps(yaml.safe_load(config)))
 
     os.chdir(proj)