Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Used yaml.safe_load instead of yaml.load, because safety should be th…

…e default.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@17062 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit d71b4309ca3c4c7aafc446404f86499c7366a771 1 parent af1893c
Aymeric Augustin authored
2  django/core/serializers/pyyaml.py
@@ -51,6 +51,6 @@ def Deserializer(stream_or_string, **options):
51 51
         stream = StringIO(stream_or_string)
52 52
     else:
53 53
         stream = stream_or_string
54  
-    for obj in PythonDeserializer(yaml.load(stream), **options):
  54
+    for obj in PythonDeserializer(yaml.safe_load(stream), **options):
55 55
         yield obj
56 56
 
10  docs/releases/1.4.txt
@@ -743,6 +743,16 @@ you can easily achieve the same by overriding the `open` method, e.g.::
743 743
         def open(self, name, mode='rb'):
744 744
             return Spam(open(self.path(name), mode))
745 745
 
  746
+YAML deserializer now uses ``yaml.safe_load``
  747
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  748
+
  749
+``yaml.load`` is able to construct any Python object, which may trigger
  750
+arbitrary code execution if you process a YAML document that comes from an
  751
+untrusted source. This feature isn't necessary for Django's YAML deserializer,
  752
+whose primary use is to load fixtures consisting of simple objects. Even though
  753
+fixtures are trusted data, for additional security, the YAML deserializer now
  754
+uses ``yaml.safe_load``.
  755
+
746 756
 .. _deprecated-features-1.4:
747 757
 
748 758
 Features deprecated in 1.4
8  tests/modeltests/serializers/tests.py
@@ -425,7 +425,7 @@ class YamlSerializerTestCase(SerializersTestBase, TestCase):
425 425
         @staticmethod
426 426
         def _validate_output(serial_str):
427 427
             try:
428  
-                yaml.load(StringIO(serial_str))
  428
+                yaml.safe_load(StringIO(serial_str))
429 429
             except Exception:
430 430
                 return False
431 431
             else:
@@ -435,7 +435,7 @@ def _validate_output(serial_str):
435 435
         def _get_pk_values(serial_str):
436 436
             ret_list = []
437 437
             stream = StringIO(serial_str)
438  
-            for obj_dict in yaml.load(stream):
  438
+            for obj_dict in yaml.safe_load(stream):
439 439
                 ret_list.append(obj_dict["pk"])
440 440
             return ret_list
441 441
 
@@ -443,10 +443,10 @@ def _get_pk_values(serial_str):
443 443
         def _get_field_values(serial_str, field_name):
444 444
             ret_list = []
445 445
             stream = StringIO(serial_str)
446  
-            for obj_dict in yaml.load(stream):
  446
+            for obj_dict in yaml.safe_load(stream):
447 447
                 if "fields" in obj_dict and field_name in obj_dict["fields"]:
448 448
                     field_value = obj_dict["fields"][field_name]
449  
-                    # yaml.load will return non-string objects for some
  449
+                    # yaml.safe_load will return non-string objects for some
450 450
                     # of the fields we are interested in, this ensures that
451 451
                     # everything comes back as a string
452 452
                     if isinstance(field_value, basestring):

0 notes on commit d71b430

Please sign in to comment.
Something went wrong with that request. Please try again.