Merged
Conversation
Change yaml.load/yaml.dump to be yaml.safe_load/yaml.safe_dump, introduced yaml.danger_dump/yaml.danger_load, and the same for various other classes. (python2 only at this moment) Refs yaml#5
Contributor
Author
|
@sigmavirus24 I'd appreciate feedback on whether this looks correct to you -- and if it needs anything more. Once the py2 version looks good I'll apply the changes to the py3k versions of the code. |
Contributor
|
Go ahead with the Python 3 versions of the code. 🎉 |
|
You are the greatest @alex |
|
This is a fantastic change! Probably the highlight of |
This comment has been minimized.
This comment has been minimized.
|
This is the changelog https://github.com/yaml/pyyaml/blob/master/CHANGES |
Contributor
Author
|
Thanks all. FYI, this issue was assigned CVE-2017-18342. |
|
@alex 😻 |
ingydotnet
added a commit
that referenced
this pull request
Jun 29, 2018
ingydotnet
added a commit
that referenced
this pull request
Jun 29, 2018
This was referenced Jun 29, 2018
Closed
ingydotnet
added a commit
that referenced
this pull request
Jun 30, 2018
Closed
ghost
mentioned this pull request
wolverineav
added a commit
to wolverineav/bosi
that referenced
this pull request
Jan 4, 2019
- known vulnerability in version <4.1 [1] [1] yaml/pyyaml#74
clrpackages
pushed a commit
to clearlinux-pkgs/PyYAML
that referenced
this pull request
Apr 4, 2019
Alex Gaynor (4):
Make pyyaml safe by default.
wtf, how did this typo happen
Now, for py3k!
Changes for 4.1 release
Andrey Somov (1):
Remove redundant code in Scanner.peek_token()
Anthony Sottile (1):
Install cython alongside tox
Daniel Beer (1):
Allow colon in a plain scalar in a flow context (#45)
Donald Stufft (4):
Add a tox.ini to run tests
Ignore common build/runtime artifacts
Add Travis Support
Fallback to Pure Python if Compilation fails
Florian Bruhin (1):
Import Hashable from collections.abc
Hugo (1):
Test on Python 3.7-dev
Ian Cordasco (1):
Install tox in a virtualenv
Ingy döt Net (6):
Revert PR #150 per @asomov
Changes for 4.01 release
Reverting yaml/pyyaml#74
Deprecate/warn usage of yaml.load(input)
Update .travis.yml to use libyaml 0.2.2
Updates for 5.1 release
Jakub Wilk (1):
Fix typos
Jon Dufresne (5):
Document and test Python 3.6 support
Use Travis CI built in pip cache support
Remove tox workaround for Travis CI
Remove commented out Psyco code
Include license file in the generated wheel package
Kirill Simonov (1):
Added tag 3.12 for changeset 823acfc7b4ff
Matt Davis (2):
Squash/merge pull request #105 from nnadeau/patch-1
Windows Appveyor build
Peter Murphy (5):
A change to a message
First attack at pyyaml does not support literals in unicode over codepoint 0xffff #25
Added emoticon test data files (which will probably break testing)
Suspicious 'expected an exception' messages trimmed
Reverting README to old copy
Timofei Bondarev (1):
Improve RepresenterError creation
Tina Müller (7):
Support escaped slash in double quotes "\/"
Force cython when building sdist
Build libyaml on travis
Apply FullLoader/UnsafeLoader changes to lib3
Allow to turn off sorting keys in Dumper
Make default_flow_style=False
Skip certain unicode tests when maxunicode not > 0xffff
hsmtkk (1):
add 3.12 changelog
hugovk (1):
Drop unsupported Python 3.3
psanchez (1):
Resolves #57, update readme issues link
scauligi (1):
Fix for bug yaml/pyyaml#118
sayaHub
added a commit
to sayaHub/track-web
that referenced
this pull request
May 22, 2019
* Add the utf-8 byte order marker to simplify issues with loading to Excel * Brought tests suites inline with models.py, handle the utf-8 BOM, and expect bytes over the wire. * Whoops. params where they should have been. * Minor changes to cache invalidation to get rid of write access rqmt. * ugh tests. * get_cache should be type-hinting a str return, not bool. Also, I was returning both a datetime, or a str. Whoops. * sigh. tests. remember the tests. * - removed Beta banner - removed Bold links in some pages - add Terms and Conditions in footers * - removed temporary Google Analytics - add Content Security Policy on header - moved some inline javascript call to a external file * forgot one inline onclick javascript * - implemented a whitelist for report names that can be call via the app URL. for now : only one report name is allowed : compliance * - forgot one file * build package for public app * fix syntax errors * fire new job names * added logic to only display the donut for Public users * forgot to remove bold for links for modal (How to read this table?) * removed some unwanted space * put back Beta Banner * Minor tweaks to config to enable usage of Azure Managed Service Identities in combination with Azure KeyVault. * this time with updated req's * local ci would be great when you're sleep deprived. * removed secret name out of code * Removed headers due to duplication.. The upstream servers are also placing these headers, so removing from here. * Security Update: pyyaml bump to pull in safe_load Fixes this yaml/pyyaml#74. Note we were already using safe_load. * Security Update: pyyaml version bump yaml/pyyaml#74 * Paginate scroll to top * add semi-colon * - Implementation of Google Tag Manager GTM ID is stored in Environment variable called GOOGLE_TAG_MANAGER * fix typo * fix data-domain, can't use comma to enclose value, break if value have comma in domain name * removed CSP policies from HTML header. CSP is now implemented on Nginx server. * - some cleanup before merge to Master branch * - to fix Alerts from LGTM * Compatibility with kubernetes (cds-snc#127) * Modification for deploying on k8s * Small fix on dockerfile * Added CI workflow file * Ignore pip pinning in CI * defer datatable render (cds-snc#129) * Changed worker type and worker amount (cds-snc#130) * Added PR review app configuration; * Actually hit the right container * Take 2 * Upgraded deps (cds-snc#132) Bump dependencies for pymongo and flask_pymongo. Fixes time based connection issues. * Task default organizations (cds-snc#136) * - set default view to Organizations instead of Domains - removed logic to public and internal view since now we will have same view for internal/public users * - fix some accessibilities issues * - put back role=row for TR. If not present, Mobile view doesnt display the green plus button in By Organizations page * - for Accessibility : implement "Skip to main content" link at top of pages ( visible when Tab into focus) * update content for the Guidance page (cds-snc#137)
rcmcronny
added a commit
to rcmcronny/dmarchiver
that referenced
this pull request
May 28, 2019
https://bugs.gentoo.org/659348 It is reported that in PyYAML before 4.1, usage of yaml.load() function on untrusted input could lead to arbitrary code execution. It is therefore recommended to use yaml.safe_load() instead. With 4.1, yaml.load() has been changed to call safe_load(). * Report: http://seclists.org/oss-sec/2018/q2/240 * Upstream change: yaml/pyyaml#74 * CVE: pending -- Gentoo Security Scout Vladimir Krstulja
clrpackages
pushed a commit
to clearlinux-pkgs/PyYAML
that referenced
this pull request
Aug 28, 2019
Alex Gaynor (4):
Make pyyaml safe by default.
wtf, how did this typo happen
Now, for py3k!
Changes for 4.1 release
Andrey Somov (1):
Remove redundant code in Scanner.peek_token()
Anthony Sottile (1):
Install cython alongside tox
Daniel Beer (1):
Allow colon in a plain scalar in a flow context (#45)
Donald Stufft (4):
Add a tox.ini to run tests
Ignore common build/runtime artifacts
Add Travis Support
Fallback to Pure Python if Compilation fails
Florian Bruhin (1):
Import Hashable from collections.abc
Hugo (1):
Test on Python 3.7-dev
Ian Cordasco (1):
Install tox in a virtualenv
Ingy döt Net (6):
Revert PR #150 per @asomov
Changes for 4.01 release
Reverting yaml/pyyaml#74
Deprecate/warn usage of yaml.load(input)
Update .travis.yml to use libyaml 0.2.2
Updates for 5.1 release
Jakub Wilk (1):
Fix typos
Jon Dufresne (5):
Document and test Python 3.6 support
Use Travis CI built in pip cache support
Remove tox workaround for Travis CI
Remove commented out Psyco code
Include license file in the generated wheel package
Kirill Simonov (1):
Added tag 3.12 for changeset 823acfc7b4ff
Matt Davis (4):
Squash/merge pull request #105 from nnadeau/patch-1
Windows Appveyor build
changes for 5.1.1 release
changes for 5.1.2 release
Peter Murphy (5):
A change to a message
First attack at pyyaml does not support literals in unicode over codepoint 0xffff #25
Added emoticon test data files (which will probably break testing)
Suspicious 'expected an exception' messages trimmed
Reverting README to old copy
Timofei Bondarev (1):
Improve RepresenterError creation
Tina Müller (7):
Support escaped slash in double quotes "\/"
Force cython when building sdist
Build libyaml on travis
Apply FullLoader/UnsafeLoader changes to lib3
Allow to turn off sorting keys in Dumper
Make default_flow_style=False
Skip certain unicode tests when maxunicode not > 0xffff
hsmtkk (1):
add 3.12 changelog
hugovk (1):
Drop unsupported Python 3.3
psanchez (1):
Resolves #57, update readme issues link
scauligi (1):
Fix for bug yaml/pyyaml#118
cz-themax
added a commit
to cz-themax/amdgpu-fan
that referenced
this pull request
Oct 19, 2019
It is reported that in PyYAML before 4.1, usage of yaml.load() function on untrusted input could lead to arbitrary code execution. It is therefore recommended to use yaml.safe_load() instead. With 4.1, yaml.load() has been changed to call safe_load(). * Report: http://seclists.org/oss-sec/2018/q2/240 * Upstream change: yaml/pyyaml#74 * CVE: pending -- Gentoo Security Scout Vladimir Krstulja
roggif
pushed a commit
to roggif/amdgpu-fan
that referenced
this pull request
Jan 18, 2021
It is reported that in PyYAML before 4.1, usage of yaml.load() function on untrusted input could lead to arbitrary code execution. It is therefore recommended to use yaml.safe_load() instead. With 4.1, yaml.load() has been changed to call safe_load(). * Report: http://seclists.org/oss-sec/2018/q2/240 * Upstream change: yaml/pyyaml#74 * CVE: pending -- Gentoo Security Scout Vladimir Krstulja
This was referenced Mar 9, 2021
This was referenced Mar 17, 2021
chestm007
pushed a commit
to chestm007/amdgpu-fan
that referenced
this pull request
Jan 15, 2022
It is reported that in PyYAML before 4.1, usage of yaml.load() function on untrusted input could lead to arbitrary code execution. It is therefore recommended to use yaml.safe_load() instead. With 4.1, yaml.load() has been changed to call safe_load(). * Report: http://seclists.org/oss-sec/2018/q2/240 * Upstream change: yaml/pyyaml#74 * CVE: pending -- Gentoo Security Scout Vladimir Krstulja
Closed
10 tasks
This was referenced Jun 24, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
11 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Change yaml.load/yaml.dump to be yaml.safe_load/yaml.safe_dump, introduced yaml.danger_dump/yaml.danger_load, and the same for various other classes.
(python2 only at this moment)
Fixes #5