Skip to content
This repository has been archived by the owner on Jun 25, 2020. It is now read-only.

Unsafe calls to yaml.load #158

Closed
vmatare opened this issue Oct 27, 2019 · 2 comments
Closed

Unsafe calls to yaml.load #158

vmatare opened this issue Oct 27, 2019 · 2 comments

Comments

@vmatare
Copy link

vmatare commented Oct 27, 2019

vcstools/src/vcstools/tar.py

Line 80 in 60fec9b

metadata = yaml.load(metadata_file.read())

vcstools/src/vcstools/tar.py

Line 168 in 60fec9b

metadata = yaml.load(metadata_file.read())

yaml.load is deprecated, and these calls should be replaced with e.g. yaml.safe_load

See https://nvd.nist.gov/vuln/detail/CVE-2017-18342
Cf. ros/ros_comm@29053c4
@tkruse
Copy link
Contributor

tkruse commented Dec 8, 2019

I think the same was done in vcstools/wstool#134, and a small PR has high chances of being merged by me.

@timonegk timonegk mentioned this issue Jan 14, 2020
Closed
@dirk-thomas
Copy link
Contributor

Closing since the repository is about to be archived: see #166.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Replace yaml.load with yaml.safe_load
3 participants
@dirk-thomas @tkruse @vmatare