Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make pyyaml safe by default. #74

Merged
merged 3 commits into from
Aug 26, 2017
Merged

Conversation

alex
Copy link
Contributor

@alex alex commented Aug 26, 2017

Change yaml.load/yaml.dump to be yaml.safe_load/yaml.safe_dump, introduced yaml.danger_dump/yaml.danger_load, and the same for various other classes.

(python2 only at this moment)

Fixes #5

Change yaml.load/yaml.dump to be yaml.safe_load/yaml.safe_dump, introduced yaml.danger_dump/yaml.danger_load, and the same for various other classes.

(python2 only at this moment)

Refs yaml#5
@alex
Copy link
Contributor Author

alex commented Aug 26, 2017

@sigmavirus24 I'd appreciate feedback on whether this looks correct to you -- and if it needs anything more.

Once the py2 version looks good I'll apply the changes to the py3k versions of the code.

@sigmavirus24
Copy link
Contributor

Go ahead with the Python 3 versions of the code. 🎉

@KevinHock
Copy link

KevinHock commented Jun 26, 2018

You are the greatest @alex

@hydrosquall
Copy link

This is a fantastic change! Probably the highlight of 4.1 in my opinion. I hadn't realized the danger of vanilla load until it was featured in a Python security holes article earlier this month (https://hackernoon.com/10-common-security-gotchas-in-python-and-how-to-avoid-them-e19fbe265e03). I never thought to look for safe_load since I was viewing this as a drop-in replacement for json.load.

@wimglenn

This comment has been minimized.

@KevinHock
Copy link

This is the changelog https://github.com/yaml/pyyaml/blob/master/CHANGES

@alex
Copy link
Contributor Author

alex commented Jun 27, 2018

Thanks all. FYI, this issue was assigned CVE-2017-18342.

@jezdez
Copy link

jezdez commented Jun 28, 2018

@alex 😻

ingydotnet added a commit that referenced this pull request Jun 29, 2018
Revert "Make pyyaml safe by default."

This reverts commit bbcf95f.
This reverts commit 7b68405.
This reverts commit 517e83e.
ingydotnet added a commit that referenced this pull request Jun 29, 2018
Revert "Make pyyaml safe by default."

This reverts commit bbcf95f.
This reverts commit 7b68405.
This reverts commit 517e83e.
ingydotnet added a commit that referenced this pull request Jun 30, 2018
Revert "Make pyyaml safe by default."

This reverts commit bbcf95f.
This reverts commit 7b68405.
This reverts commit 517e83e.
@Kobold Kobold mentioned this pull request Jul 18, 2018
wolverineav added a commit to wolverineav/bosi that referenced this pull request Jan 4, 2019
 - known vulnerability in version <4.1 [1]

[1] yaml/pyyaml#74
clrpackages pushed a commit to clearlinux-pkgs/PyYAML that referenced this pull request Apr 4, 2019
Alex Gaynor (4):
      Make pyyaml safe by default.
      wtf, how did this typo happen
      Now, for py3k!
      Changes for 4.1 release

Andrey Somov (1):
      Remove redundant code in Scanner.peek_token()

Anthony Sottile (1):
      Install cython alongside tox

Daniel Beer (1):
      Allow colon in a plain scalar in a flow context (#45)

Donald Stufft (4):
      Add a tox.ini to run tests
      Ignore common build/runtime artifacts
      Add Travis Support
      Fallback to Pure Python if Compilation fails

Florian Bruhin (1):
      Import Hashable from collections.abc

Hugo (1):
      Test on Python 3.7-dev

Ian Cordasco (1):
      Install tox in a virtualenv

Ingy döt Net (6):
      Revert PR #150 per @asomov
      Changes for 4.01 release
      Reverting yaml/pyyaml#74
      Deprecate/warn usage of yaml.load(input)
      Update .travis.yml to use libyaml 0.2.2
      Updates for 5.1 release

Jakub Wilk (1):
      Fix typos

Jon Dufresne (5):
      Document and test Python 3.6 support
      Use Travis CI built in pip cache support
      Remove tox workaround for Travis CI
      Remove commented out Psyco code
      Include license file in the generated wheel package

Kirill Simonov (1):
      Added tag 3.12 for changeset 823acfc7b4ff

Matt Davis (2):
      Squash/merge pull request #105 from nnadeau/patch-1
      Windows Appveyor build

Peter Murphy (5):
      A change to a message
      First attack at pyyaml does not support literals in unicode over codepoint 0xffff #25
      Added emoticon test data files (which will probably break testing)
      Suspicious 'expected an exception' messages trimmed
      Reverting README to old copy

Timofei Bondarev (1):
      Improve RepresenterError creation

Tina Müller (7):
      Support escaped slash in double quotes "\/"
      Force cython when building sdist
      Build libyaml on travis
      Apply FullLoader/UnsafeLoader changes to lib3
      Allow to turn off sorting keys in Dumper
      Make default_flow_style=False
      Skip certain unicode tests when maxunicode not > 0xffff

hsmtkk (1):
      add 3.12 changelog

hugovk (1):
      Drop unsupported Python 3.3

psanchez (1):
      Resolves #57, update readme issues link

scauligi (1):
      Fix for bug yaml/pyyaml#118
sayaHub added a commit to sayaHub/track-web that referenced this pull request May 22, 2019
* Add the utf-8 byte order marker to simplify issues with loading to Excel

* Brought tests suites inline with models.py, handle the utf-8 BOM, and expect bytes over the wire.

* Whoops. params where they should have been.

* Minor changes to cache invalidation to get rid of write access rqmt.

* ugh tests.

* get_cache should be type-hinting a str return, not bool. Also, I was returning both a datetime, or a str. Whoops.

* sigh. tests. remember the tests.

* - removed Beta banner
- removed Bold links in some pages
- add Terms and Conditions in footers

* - removed temporary Google Analytics
- add Content Security Policy on header
- moved some inline javascript call to a external file

* forgot one inline onclick javascript

* - implemented a whitelist for report names that can be call via the app URL.

  for now : only one report name is allowed : compliance

* - forgot one file

* build package for public app

* fix syntax errors

* fire new job names

* added logic to only display the donut for Public users

* forgot to remove bold for links for modal (How to read this table?)

* removed some unwanted space

* put back Beta Banner

* Minor tweaks to config to enable usage of Azure Managed Service Identities in combination with Azure KeyVault.

* this time with updated req's

* local ci would be great when you're sleep deprived.

* removed secret name out of code

* Removed headers due to duplication..

The upstream servers are also placing these headers, so removing from here.

* Security Update: pyyaml bump to pull in safe_load

Fixes this yaml/pyyaml#74.

Note we were already using safe_load.

* Security Update: pyyaml version bump

yaml/pyyaml#74

* Paginate scroll to top

* add semi-colon

* - Implementation of Google Tag Manager

   GTM ID is stored in Environment variable called GOOGLE_TAG_MANAGER

* fix typo

* fix data-domain, can't use comma to enclose value, break if value have comma in domain name

* removed CSP policies from HTML header. CSP is now implemented on Nginx server.

* - some cleanup before merge to Master branch

* - to fix Alerts from LGTM

* Compatibility with kubernetes  (cds-snc#127)

* Modification for deploying on k8s

* Small fix on dockerfile

* Added CI workflow file

* Ignore pip pinning in CI

* defer datatable render (cds-snc#129)

* Changed worker type and worker amount (cds-snc#130)

* Added PR review app configuration;

* Actually hit the right container

* Take 2

* Upgraded deps (cds-snc#132)

Bump dependencies for pymongo and flask_pymongo. Fixes time based connection issues.

* Task default organizations (cds-snc#136)

* - set default view to Organizations instead of Domains
- removed logic to public and internal view since now we will have same view for internal/public users

* - fix some accessibilities issues

* - put back role=row for TR. If not present, Mobile view doesnt display the green plus button
  in By Organizations page

* - for Accessibility : implement "Skip to main content" link at top of pages ( visible when Tab into focus)

* update content for the Guidance page (cds-snc#137)
rcmcronny added a commit to rcmcronny/dmarchiver that referenced this pull request May 28, 2019
https://bugs.gentoo.org/659348

It is reported that in PyYAML before 4.1, usage of yaml.load() function on untrusted input could lead to arbitrary code execution. It is therefore recommended to use yaml.safe_load() instead. With 4.1, yaml.load() has been changed to call safe_load().

* Report:          http://seclists.org/oss-sec/2018/q2/240
* Upstream change: yaml/pyyaml#74
* CVE:             pending

--

Gentoo Security Scout
Vladimir Krstulja
clrpackages pushed a commit to clearlinux-pkgs/PyYAML that referenced this pull request Aug 28, 2019
Alex Gaynor (4):
      Make pyyaml safe by default.
      wtf, how did this typo happen
      Now, for py3k!
      Changes for 4.1 release

Andrey Somov (1):
      Remove redundant code in Scanner.peek_token()

Anthony Sottile (1):
      Install cython alongside tox

Daniel Beer (1):
      Allow colon in a plain scalar in a flow context (#45)

Donald Stufft (4):
      Add a tox.ini to run tests
      Ignore common build/runtime artifacts
      Add Travis Support
      Fallback to Pure Python if Compilation fails

Florian Bruhin (1):
      Import Hashable from collections.abc

Hugo (1):
      Test on Python 3.7-dev

Ian Cordasco (1):
      Install tox in a virtualenv

Ingy döt Net (6):
      Revert PR #150 per @asomov
      Changes for 4.01 release
      Reverting yaml/pyyaml#74
      Deprecate/warn usage of yaml.load(input)
      Update .travis.yml to use libyaml 0.2.2
      Updates for 5.1 release

Jakub Wilk (1):
      Fix typos

Jon Dufresne (5):
      Document and test Python 3.6 support
      Use Travis CI built in pip cache support
      Remove tox workaround for Travis CI
      Remove commented out Psyco code
      Include license file in the generated wheel package

Kirill Simonov (1):
      Added tag 3.12 for changeset 823acfc7b4ff

Matt Davis (4):
      Squash/merge pull request #105 from nnadeau/patch-1
      Windows Appveyor build
      changes for 5.1.1 release
      changes for 5.1.2 release

Peter Murphy (5):
      A change to a message
      First attack at pyyaml does not support literals in unicode over codepoint 0xffff #25
      Added emoticon test data files (which will probably break testing)
      Suspicious 'expected an exception' messages trimmed
      Reverting README to old copy

Timofei Bondarev (1):
      Improve RepresenterError creation

Tina Müller (7):
      Support escaped slash in double quotes "\/"
      Force cython when building sdist
      Build libyaml on travis
      Apply FullLoader/UnsafeLoader changes to lib3
      Allow to turn off sorting keys in Dumper
      Make default_flow_style=False
      Skip certain unicode tests when maxunicode not > 0xffff

hsmtkk (1):
      add 3.12 changelog

hugovk (1):
      Drop unsupported Python 3.3

psanchez (1):
      Resolves #57, update readme issues link

scauligi (1):
      Fix for bug yaml/pyyaml#118
cz-themax added a commit to cz-themax/amdgpu-fan that referenced this pull request Oct 19, 2019
It is reported that in PyYAML before 4.1, usage of yaml.load() function on untrusted input could lead to arbitrary code execution. It is therefore recommended to use yaml.safe_load() instead. With 4.1, yaml.load() has been changed to call safe_load().

* Report:          http://seclists.org/oss-sec/2018/q2/240
* Upstream change: yaml/pyyaml#74
* CVE:             pending

--

Gentoo Security Scout
Vladimir Krstulja
zzkW35 pushed a commit to zzkW35/amdgpu-fan that referenced this pull request Jan 18, 2021
It is reported that in PyYAML before 4.1, usage of yaml.load() function on untrusted input could lead to arbitrary code execution. It is therefore recommended to use yaml.safe_load() instead. With 4.1, yaml.load() has been changed to call safe_load().

* Report:          http://seclists.org/oss-sec/2018/q2/240
* Upstream change: yaml/pyyaml#74
* CVE:             pending

--

Gentoo Security Scout
Vladimir Krstulja
chestm007 pushed a commit to chestm007/amdgpu-fan that referenced this pull request Jan 15, 2022
It is reported that in PyYAML before 4.1, usage of yaml.load() function on untrusted input could lead to arbitrary code execution. It is therefore recommended to use yaml.safe_load() instead. With 4.1, yaml.load() has been changed to call safe_load().

* Report:          http://seclists.org/oss-sec/2018/q2/240
* Upstream change: yaml/pyyaml#74
* CVE:             pending

--

Gentoo Security Scout
Vladimir Krstulja
mtremer pushed a commit to ipfire/ipfire-2.x that referenced this pull request Feb 14, 2022
- Update from 3.13 to 6.0
- Update of rootfile
- Changelog
6.0 (2021-10-13)
* yaml/pyyaml#327 -- Change README format to Markdown
* yaml/pyyaml#483 -- Add a test for YAML 1.1 types
* yaml/pyyaml#497 -- fix float resolver to ignore `.` and `._`
* yaml/pyyaml#550 -- drop Python 2.7
* yaml/pyyaml#553 -- Fix spelling of “hexadecimal”
* yaml/pyyaml#556 -- fix representation of Enum subclasses
* yaml/pyyaml#557 -- fix libyaml extension compiler warnings
* yaml/pyyaml#560 -- fix ResourceWarning on leaked file descriptors
* yaml/pyyaml#561 -- always require `Loader` arg to `yaml.load()`
* yaml/pyyaml#564 -- remove remaining direct distutils usage
5.4.1 (2021-01-20)
* yaml/pyyaml#480 -- Fix stub compat with older pyyaml versions that may unwittingly load it
5.4 (2021-01-19)
* yaml/pyyaml#407 -- Build modernization, remove distutils, fix metadata, build wheels, CI to GHA
* yaml/pyyaml#472 -- Fix for CVE-2020-14343, moves arbitrary python tags to UnsafeLoader
* yaml/pyyaml#441 -- Fix memory leak in implicit resolver setup
* yaml/pyyaml#392 -- Fix py2 copy support for timezone objects
* yaml/pyyaml#378 -- Fix compatibility with Jython
5.3.1 (2020-03-18)
* yaml/pyyaml#386 -- Prevents arbitrary code execution during python/object/new constructor
5.3 (2020-01-06)
* yaml/pyyaml#290 -- Use `is` instead of equality for comparing with `None`
* yaml/pyyaml#270 -- Fix typos and stylistic nit
* yaml/pyyaml#309 -- Fix up small typo
* yaml/pyyaml#161 -- Fix handling of __slots__
* yaml/pyyaml#358 -- Allow calling add_multi_constructor with None
* yaml/pyyaml#285 -- Add use of safe_load() function in README
* yaml/pyyaml#351 -- Fix reader for Unicode code points over 0xFFFF
* yaml/pyyaml#360 -- Enable certain unicode tests when maxunicode not > 0xffff
* yaml/pyyaml#359 -- Use full_load in yaml-highlight example
* yaml/pyyaml#244 -- Document that PyYAML is implemented with Cython
* yaml/pyyaml#329 -- Fix for Python 3.10
* yaml/pyyaml#310 -- Increase size of index, line, and column fields
* yaml/pyyaml#260 -- Remove some unused imports
* yaml/pyyaml#163 -- Create timezone-aware datetimes when parsed as such
* yaml/pyyaml#363 -- Add tests for timezone
5.2 (2019-12-02)
* Repair incompatibilities introduced with 5.1. The default Loader was changed,
  but several methods like add_constructor still used the old default
  yaml/pyyaml#279 -- A more flexible fix for custom tag constructors
  yaml/pyyaml#287 -- Change default loader for yaml.add_constructor
  yaml/pyyaml#305 -- Change default loader for add_implicit_resolver, add_path_resolver
* Make FullLoader safer by removing python/object/apply from the default FullLoader
  yaml/pyyaml#347 -- Move constructor for object/apply to UnsafeConstructor
* Fix bug introduced in 5.1 where quoting went wrong on systems with sys.maxunicode <= 0xffff
  yaml/pyyaml#276 -- Fix logic for quoting special characters
* Other PRs:
  yaml/pyyaml#280 -- Update CHANGES for 5.1
5.1.2 (2019-07-30)
* Re-release of 5.1 with regenerated Cython sources to build properly for Python 3.8b2+
5.1.1 (2019-06-05)
* Re-release of 5.1 with regenerated Cython sources to build properly for Python 3.8b1
5.1 (2019-03-13)
* yaml/pyyaml#35 -- Some modernization of the test running
* yaml/pyyaml#42 -- Install tox in a virtualenv
* yaml/pyyaml#45 -- Allow colon in a plain scalar in a flow context
* yaml/pyyaml#48 -- Fix typos
* yaml/pyyaml#55 -- Improve RepresenterError creation
* yaml/pyyaml#59 -- Resolves #57, update readme issues link
* yaml/pyyaml#60 -- Document and test Python 3.6 support
* yaml/pyyaml#61 -- Use Travis CI built in pip cache support
* yaml/pyyaml#62 -- Remove tox workaround for Travis CI
* yaml/pyyaml#63 -- Adding support to Unicode characters over codepoint 0xffff
* yaml/pyyaml#75 -- add 3.12 changelog
* yaml/pyyaml#76 -- Fallback to Pure Python if Compilation fails
* yaml/pyyaml#84 -- Drop unsupported Python 3.3
* yaml/pyyaml#102 -- Include license file in the generated wheel package
* yaml/pyyaml#105 -- Removed Python 2.6 & 3.3 support
* yaml/pyyaml#111 -- Remove commented out Psyco code
* yaml/pyyaml#129 -- Remove call to `ord` in lib3 emitter code
* yaml/pyyaml#149 -- Test on Python 3.7-dev
* yaml/pyyaml#158 -- Support escaped slash in double quotes "\/"
* yaml/pyyaml#175 -- Updated link to pypi in release announcement
* yaml/pyyaml#181 -- Import Hashable from collections.abc
* yaml/pyyaml#194 -- Reverting yaml/pyyaml#74
* yaml/pyyaml#195 -- Build libyaml on travis
* yaml/pyyaml#196 -- Force cython when building sdist
* yaml/pyyaml#254 -- Allow to turn off sorting keys in Dumper (2)
* yaml/pyyaml#256 -- Make default_flow_style=False
* yaml/pyyaml#257 -- Deprecate yaml.load and add FullLoader and UnsafeLoader classes
* yaml/pyyaml#261 -- Skip certain unicode tests when maxunicode not > 0xffff
* yaml/pyyaml#263 -- Windows Appveyor build

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>

 --git a/config/rootfiles/packages/python3-yaml b/config/rootfiles/packages/python3-yaml
x 0870a2346..bd4009a08 100644
* yaml/pyyaml#195 -- Build libyaml on travis
* yaml/pyyaml#196 -- Force cython when building sdist
* yaml/pyyaml#254 -- Allow to turn off sorting keys in Dumper (2)
* yaml/pyyaml#256 -- Make default_flow_style=False
* yaml/pyyaml#257 -- Deprecate yaml.load and add FullLoader and Uns
oader classes
* yaml/pyyaml#261 -- Skip certain unicode tests when maxunicode not
xffff
* yaml/pyyaml#263 -- Windows Appveyor build

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.