Convert all yaml loads to safe_loads for security/safety reasons.

https://bugs.launchpad.net/ubuntu/+source/cobbler/+bug/858883

apitests/base.py

@@ -36,7 +36,7 @@
 def read_config():
     global cfg
     f = open(CONFIG_LOC, 'r')
-    cfg = yaml.load(f)
+    cfg = yaml.safe_load(f)
     f.close()
 
 read_config()

cobbler/api.py

@@ -221,7 +221,7 @@ def version(self, extended=False):
         fd = open("/etc/cobbler/version")
         ydata = fd.read()
         fd.close()
-        data = yaml.load(ydata)
+        data = yaml.safe_load(ydata)
         if not extended:
             # for backwards compatibility and use with koan's comparisons
             elems = data["version_tuple"] 

cobbler/item.py

@@ -245,7 +245,7 @@ def set_mgmt_parameters(self,mgmt_parameters):
             self.mgmt_parameters = mgmt_parameters
         else:
             import yaml
-            data = yaml.load(mgmt_parameters)
+            data = yaml.safe_load(mgmt_parameters)
             if type(data) is not dict:
                 raise CX(_("Input YAML in Puppet Parameter field must evaluate to a dictionary."))
             self.mgmt_parameters = data

cobbler/modules/serializer_catalog.py

@@ -134,7 +134,7 @@ def deserialize_item_raw(collection_type, item_name):
     if os.path.exists(filename): 
         fd = open(filename)
         data = fd.read()
-        return yaml.load(data)
+        return yaml.safe_load(data)
     elif os.path.exists(filename2):
         fd = open(filename2)
         data = fd.read()
@@ -166,13 +166,13 @@ def deserialize_raw(collection_type):
 
     if collection_type == "settings":
          fd = open("/etc/cobbler/settings")
-         datastruct = yaml.load(fd.read())
+         datastruct = yaml.safe_load(fd.read())
          fd.close()
          return datastruct
     elif os.path.exists(old_filename):
          # for use in migration from serializer_yaml to serializer_catalog (yaml/json)
          fd = open(old_filename)
-         datastruct = yaml.load(fd.read())
+         datastruct = yaml.safe_load(fd.read())
          fd.close()
          return datastruct
     else:
@@ -192,7 +192,7 @@ def deserialize_raw(collection_type):
              if f.endswith(".json"):
                  datastruct = simplejson.loads(ydata, encoding='utf-8')
              else:
-                 datastruct = yaml.load(ydata)
+                 datastruct = yaml.safe_load(ydata)
              results.append(datastruct)
              fd.close()
          return results    

cobbler/modules/serializer_couch.py

@@ -109,7 +109,7 @@ def deserialize_raw(collection_type):
 
     if collection_type == "settings":
          fd = open("/etc/cobbler/settings")
-         datastruct = yaml.load(fd.read())
+         datastruct = yaml.safe_load(fd.read())
          fd.close()
          return datastruct
     else:

cobbler/remote.py

@@ -1960,7 +1960,7 @@ def _test_setup_modules(authn="authn_testing",authz="authz_allowall",pxe_once=1)
     MODULES_TEMPLATE = "installer_templates/modules.conf.template"
     DEFAULTS = "installer_templates/defaults"
     fh = open(DEFAULTS)
-    data = yaml.load(fh.read())
+    data = yaml.safe_load(fh.read())
     fh.close()
     data["authn_module"] = authn
     data["authz_module"] = authz
@@ -1981,7 +1981,7 @@ def _test_setup_settings(pxe_once=1):
     MODULES_TEMPLATE = "installer_templates/settings.template"
     DEFAULTS = "installer_templates/defaults"
     fh = open(DEFAULTS)
-    data = yaml.load(fh.read())
+    data = yaml.safe_load(fh.read())
     fh.close()
     data["pxe_once"] = pxe_once
 

cobbler/services.py

@@ -437,7 +437,7 @@ def test_services_access():
     assert data.find("gamma") != -1
     assert data.find("3") != -1
 
-    data = yaml.load(data)
+    data = yaml.safe_load(data)
     assert data.has_key("classes")
     assert data.has_key("parameters")
 

cobbler/utils.py

@@ -1981,7 +1981,7 @@ def local_get_cobbler_api_url():
     # Load server and http port
     try:
         fh = open("/etc/cobbler/settings")
-        data = yaml.load(fh.read())
+        data = yaml.safe_load(fh.read())
         fh.close()
     except:
        traceback.print_exc()
@@ -2002,7 +2002,7 @@ def local_get_cobbler_xmlrpc_url():
     # Load xmlrpc port
     try:
         fh = open("/etc/cobbler/settings")
-        data = yaml.load(fh.read())
+        data = yaml.safe_load(fh.read())
         fh.close()
     except:
        traceback.print_exc()

scripts/cobbler-ext-nodes

@@ -13,7 +13,7 @@ if __name__ == "__main__":
 
    if hostname is not None:
        conf = open("/etc/cobbler/settings")
-       config = yaml.load(conf.read());
+       config = yaml.safe_load(conf.read());
        conf.close()
        url = "http://%s:%s/cblr/svc/op/puppet/hostname/%s" % (config["server"], config["http_port"], hostname)
        print urlgrabber.urlread(url)

scripts/index.py

@@ -109,7 +109,7 @@ def handler(req):
     fd = open("/etc/cobbler/settings")
     data = fd.read()
     fd.close()
-    ydata = yaml.load(data)
+    ydata = yaml.safe_load(data)
     remote_port = ydata.get("xmlrpc_port", 25151)
 
     mode = form.get('mode','index')

scripts/services.py

@@ -61,7 +61,7 @@ def application(environ, start_response):
     fd = open("/etc/cobbler/settings")
     data = fd.read()
     fd.close()
-    ydata = yaml.load(data)
+    ydata = yaml.safe_load(data)
     remote_port = ydata.get("xmlrpc_port",25151)
 
     # instantiate a CobblerWeb object

tests/pycallgraph_mod.py

@@ -62,7 +62,7 @@ def reset_trace():
     'node_color': lambda calls, : '%f %f %f' % (calls / 2 + .5, calls, 0.9),
     'edge_color': lambda calls, : '%f %f %f' % (calls / 2 + .5, calls, 0.7),
     'exclude_module': [ 
-        'yaml', 'yaml.load', 'yaml.stream', 'sre', 'unittest',
+        'yaml', 'yaml.safe_load', 'yaml.stream', 'sre', 'unittest',
         'sys', 'os', 'subprocess', 'string', 'time', 'test', 'posixpath', 'random',
         'shutil', 'pycallgraph', 'stat', 'tempfile', 'socket', 'glob', 'sub_process', 
         'errno', 'weakref', 'traceback'