Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Used yaml.safe_load instead of yaml.load, because safety should be th…

…e default.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@17062 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit d71b4309ca3c4c7aafc446404f86499c7366a771 1 parent af1893c
@aaugustin aaugustin authored
View
2  django/core/serializers/pyyaml.py
@@ -51,6 +51,6 @@ def Deserializer(stream_or_string, **options):
stream = StringIO(stream_or_string)
else:
stream = stream_or_string
- for obj in PythonDeserializer(yaml.load(stream), **options):
+ for obj in PythonDeserializer(yaml.safe_load(stream), **options):
yield obj
View
10 docs/releases/1.4.txt
@@ -743,6 +743,16 @@ you can easily achieve the same by overriding the `open` method, e.g.::
def open(self, name, mode='rb'):
return Spam(open(self.path(name), mode))
+YAML deserializer now uses ``yaml.safe_load``
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+``yaml.load`` is able to construct any Python object, which may trigger
+arbitrary code execution if you process a YAML document that comes from an
+untrusted source. This feature isn't necessary for Django's YAML deserializer,
+whose primary use is to load fixtures consisting of simple objects. Even though
+fixtures are trusted data, for additional security, the YAML deserializer now
+uses ``yaml.safe_load``.
+
.. _deprecated-features-1.4:
Features deprecated in 1.4
View
8 tests/modeltests/serializers/tests.py
@@ -425,7 +425,7 @@ class YamlSerializerTestCase(SerializersTestBase, TestCase):
@staticmethod
def _validate_output(serial_str):
try:
- yaml.load(StringIO(serial_str))
+ yaml.safe_load(StringIO(serial_str))
except Exception:
return False
else:
@@ -435,7 +435,7 @@ def _validate_output(serial_str):
def _get_pk_values(serial_str):
ret_list = []
stream = StringIO(serial_str)
- for obj_dict in yaml.load(stream):
+ for obj_dict in yaml.safe_load(stream):
ret_list.append(obj_dict["pk"])
return ret_list
@@ -443,10 +443,10 @@ def _get_pk_values(serial_str):
def _get_field_values(serial_str, field_name):
ret_list = []
stream = StringIO(serial_str)
- for obj_dict in yaml.load(stream):
+ for obj_dict in yaml.safe_load(stream):
if "fields" in obj_dict and field_name in obj_dict["fields"]:
field_value = obj_dict["fields"][field_name]
- # yaml.load will return non-string objects for some
+ # yaml.safe_load will return non-string objects for some
# of the fields we are interested in, this ensures that
# everything comes back as a string
if isinstance(field_value, basestring):
Please sign in to comment.
Something went wrong with that request. Please try again.