Make pyyaml safe by default. #74
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Change yaml.load/yaml.dump to be yaml.safe_load/yaml.safe_dump, introduced yaml.danger_dump/yaml.danger_load, and the same for various other classes. (python2 only at this moment) Refs yaml#5
|
@sigmavirus24 I'd appreciate feedback on whether this looks correct to you -- and if it needs anything more. Once the py2 version looks good I'll apply the changes to the py3k versions of the code. |
|
Go ahead with the Python 3 versions of the code. 🎉 |
|
You are the greatest @alex |
|
This is a fantastic change! Probably the highlight of |
This comment has been minimized.
This comment has been minimized.
|
This is the changelog https://github.com/yaml/pyyaml/blob/master/CHANGES |
|
Thanks all. FYI, this issue was assigned CVE-2017-18342. |
|
@alex 😻 |
ingydotnet
added a commit
that referenced
this pull request
Jun 29, 2018
ingydotnet
added a commit
that referenced
this pull request
Jun 29, 2018
This was referenced Jun 29, 2018
Closed
ingydotnet
added a commit
that referenced
this pull request
Jun 30, 2018
Closed
ghost
mentioned this pull request
wolverineav
added a commit
to wolverineav/bosi
that referenced
this pull request
Jan 4, 2019
- known vulnerability in version <4.1 [1] [1] yaml/pyyaml#74
This was referenced Mar 7, 2019
clrpackages
pushed a commit
to clearlinux-pkgs/PyYAML
that referenced
this pull request
Apr 4, 2019
Alex Gaynor (4):
Make pyyaml safe by default.
wtf, how did this typo happen
Now, for py3k!
Changes for 4.1 release
Andrey Somov (1):
Remove redundant code in Scanner.peek_token()
Anthony Sottile (1):
Install cython alongside tox
Daniel Beer (1):
Allow colon in a plain scalar in a flow context (#45)
Donald Stufft (4):
Add a tox.ini to run tests
Ignore common build/runtime artifacts
Add Travis Support
Fallback to Pure Python if Compilation fails
Florian Bruhin (1):
Import Hashable from collections.abc
Hugo (1):
Test on Python 3.7-dev
Ian Cordasco (1):
Install tox in a virtualenv
Ingy döt Net (6):
Revert PR #150 per @asomov
Changes for 4.01 release
Reverting yaml/pyyaml#74
Deprecate/warn usage of yaml.load(input)
Update .travis.yml to use libyaml 0.2.2
Updates for 5.1 release
Jakub Wilk (1):
Fix typos
Jon Dufresne (5):
Document and test Python 3.6 support
Use Travis CI built in pip cache support
Remove tox workaround for Travis CI
Remove commented out Psyco code
Include license file in the generated wheel package
Kirill Simonov (1):
Added tag 3.12 for changeset 823acfc7b4ff
Matt Davis (2):
Squash/merge pull request #105 from nnadeau/patch-1
Windows Appveyor build
Peter Murphy (5):
A change to a message
First attack at pyyaml does not support literals in unicode over codepoint 0xffff #25
Added emoticon test data files (which will probably break testing)
Suspicious 'expected an exception' messages trimmed
Reverting README to old copy
Timofei Bondarev (1):
Improve RepresenterError creation
Tina Müller (7):
Support escaped slash in double quotes "\/"
Force cython when building sdist
Build libyaml on travis
Apply FullLoader/UnsafeLoader changes to lib3
Allow to turn off sorting keys in Dumper
Make default_flow_style=False
Skip certain unicode tests when maxunicode not > 0xffff
hsmtkk (1):
add 3.12 changelog
hugovk (1):
Drop unsupported Python 3.3
psanchez (1):
Resolves #57, update readme issues link
scauligi (1):
Fix for bug yaml/pyyaml#118
sayaHub
added a commit
to sayaHub/track-web
that referenced
this pull request
May 22, 2019
* Add the utf-8 byte order marker to simplify issues with loading to Excel * Brought tests suites inline with models.py, handle the utf-8 BOM, and expect bytes over the wire. * Whoops. params where they should have been. * Minor changes to cache invalidation to get rid of write access rqmt. * ugh tests. * get_cache should be type-hinting a str return, not bool. Also, I was returning both a datetime, or a str. Whoops. * sigh. tests. remember the tests. * - removed Beta banner - removed Bold links in some pages - add Terms and Conditions in footers * - removed temporary Google Analytics - add Content Security Policy on header - moved some inline javascript call to a external file * forgot one inline onclick javascript * - implemented a whitelist for report names that can be call via the app URL. for now : only one report name is allowed : compliance * - forgot one file * build package for public app * fix syntax errors * fire new job names * added logic to only display the donut for Public users * forgot to remove bold for links for modal (How to read this table?) * removed some unwanted space * put back Beta Banner * Minor tweaks to config to enable usage of Azure Managed Service Identities in combination with Azure KeyVault. * this time with updated req's * local ci would be great when you're sleep deprived. * removed secret name out of code * Removed headers due to duplication.. The upstream servers are also placing these headers, so removing from here. * Security Update: pyyaml bump to pull in safe_load Fixes this yaml/pyyaml#74. Note we were already using safe_load. * Security Update: pyyaml version bump yaml/pyyaml#74 * Paginate scroll to top * add semi-colon * - Implementation of Google Tag Manager GTM ID is stored in Environment variable called GOOGLE_TAG_MANAGER * fix typo * fix data-domain, can't use comma to enclose value, break if value have comma in domain name * removed CSP policies from HTML header. CSP is now implemented on Nginx server. * - some cleanup before merge to Master branch * - to fix Alerts from LGTM * Compatibility with kubernetes (cds-snc#127) * Modification for deploying on k8s * Small fix on dockerfile * Added CI workflow file * Ignore pip pinning in CI * defer datatable render (cds-snc#129) * Changed worker type and worker amount (cds-snc#130) * Added PR review app configuration; * Actually hit the right container * Take 2 * Upgraded deps (cds-snc#132) Bump dependencies for pymongo and flask_pymongo. Fixes time based connection issues. * Task default organizations (cds-snc#136) * - set default view to Organizations instead of Domains - removed logic to public and internal view since now we will have same view for internal/public users * - fix some accessibilities issues * - put back role=row for TR. If not present, Mobile view doesnt display the green plus button in By Organizations page * - for Accessibility : implement "Skip to main content" link at top of pages ( visible when Tab into focus) * update content for the Guidance page (cds-snc#137)
rcmcronny
added a commit
to rcmcronny/dmarchiver
that referenced
this pull request
May 28, 2019
https://bugs.gentoo.org/659348 It is reported that in PyYAML before 4.1, usage of yaml.load() function on untrusted input could lead to arbitrary code execution. It is therefore recommended to use yaml.safe_load() instead. With 4.1, yaml.load() has been changed to call safe_load(). * Report: http://seclists.org/oss-sec/2018/q2/240 * Upstream change: yaml/pyyaml#74 * CVE: pending -- Gentoo Security Scout Vladimir Krstulja
clrpackages
pushed a commit
to clearlinux-pkgs/PyYAML
that referenced
this pull request
Aug 28, 2019
Alex Gaynor (4):
Make pyyaml safe by default.
wtf, how did this typo happen
Now, for py3k!
Changes for 4.1 release
Andrey Somov (1):
Remove redundant code in Scanner.peek_token()
Anthony Sottile (1):
Install cython alongside tox
Daniel Beer (1):
Allow colon in a plain scalar in a flow context (#45)
Donald Stufft (4):
Add a tox.ini to run tests
Ignore common build/runtime artifacts
Add Travis Support
Fallback to Pure Python if Compilation fails
Florian Bruhin (1):
Import Hashable from collections.abc
Hugo (1):
Test on Python 3.7-dev
Ian Cordasco (1):
Install tox in a virtualenv
Ingy döt Net (6):
Revert PR #150 per @asomov
Changes for 4.01 release
Reverting yaml/pyyaml#74
Deprecate/warn usage of yaml.load(input)
Update .travis.yml to use libyaml 0.2.2
Updates for 5.1 release
Jakub Wilk (1):
Fix typos
Jon Dufresne (5):
Document and test Python 3.6 support
Use Travis CI built in pip cache support
Remove tox workaround for Travis CI
Remove commented out Psyco code
Include license file in the generated wheel package
Kirill Simonov (1):
Added tag 3.12 for changeset 823acfc7b4ff
Matt Davis (4):
Squash/merge pull request #105 from nnadeau/patch-1
Windows Appveyor build
changes for 5.1.1 release
changes for 5.1.2 release
Peter Murphy (5):
A change to a message
First attack at pyyaml does not support literals in unicode over codepoint 0xffff #25
Added emoticon test data files (which will probably break testing)
Suspicious 'expected an exception' messages trimmed
Reverting README to old copy
Timofei Bondarev (1):
Improve RepresenterError creation
Tina Müller (7):
Support escaped slash in double quotes "\/"
Force cython when building sdist
Build libyaml on travis
Apply FullLoader/UnsafeLoader changes to lib3
Allow to turn off sorting keys in Dumper
Make default_flow_style=False
Skip certain unicode tests when maxunicode not > 0xffff
hsmtkk (1):
add 3.12 changelog
hugovk (1):
Drop unsupported Python 3.3
psanchez (1):
Resolves #57, update readme issues link
scauligi (1):
Fix for bug yaml/pyyaml#118
cz-themax
added a commit
to cz-themax/amdgpu-fan
that referenced
this pull request
Oct 19, 2019
It is reported that in PyYAML before 4.1, usage of yaml.load() function on untrusted input could lead to arbitrary code execution. It is therefore recommended to use yaml.safe_load() instead. With 4.1, yaml.load() has been changed to call safe_load(). * Report: http://seclists.org/oss-sec/2018/q2/240 * Upstream change: yaml/pyyaml#74 * CVE: pending -- Gentoo Security Scout Vladimir Krstulja
zzkW35
pushed a commit
to zzkW35/amdgpu-fan
that referenced
this pull request
Jan 18, 2021
It is reported that in PyYAML before 4.1, usage of yaml.load() function on untrusted input could lead to arbitrary code execution. It is therefore recommended to use yaml.safe_load() instead. With 4.1, yaml.load() has been changed to call safe_load(). * Report: http://seclists.org/oss-sec/2018/q2/240 * Upstream change: yaml/pyyaml#74 * CVE: pending -- Gentoo Security Scout Vladimir Krstulja
This was referenced Mar 9, 2021
This was referenced Mar 17, 2021
chestm007
pushed a commit
to chestm007/amdgpu-fan
that referenced
this pull request
Jan 15, 2022
It is reported that in PyYAML before 4.1, usage of yaml.load() function on untrusted input could lead to arbitrary code execution. It is therefore recommended to use yaml.safe_load() instead. With 4.1, yaml.load() has been changed to call safe_load(). * Report: http://seclists.org/oss-sec/2018/q2/240 * Upstream change: yaml/pyyaml#74 * CVE: pending -- Gentoo Security Scout Vladimir Krstulja
mtremer
pushed a commit
to ipfire/ipfire-2.x
that referenced
this pull request
Feb 14, 2022
- Update from 3.13 to 6.0 - Update of rootfile - Changelog 6.0 (2021-10-13) * yaml/pyyaml#327 -- Change README format to Markdown * yaml/pyyaml#483 -- Add a test for YAML 1.1 types * yaml/pyyaml#497 -- fix float resolver to ignore `.` and `._` * yaml/pyyaml#550 -- drop Python 2.7 * yaml/pyyaml#553 -- Fix spelling of “hexadecimal” * yaml/pyyaml#556 -- fix representation of Enum subclasses * yaml/pyyaml#557 -- fix libyaml extension compiler warnings * yaml/pyyaml#560 -- fix ResourceWarning on leaked file descriptors * yaml/pyyaml#561 -- always require `Loader` arg to `yaml.load()` * yaml/pyyaml#564 -- remove remaining direct distutils usage 5.4.1 (2021-01-20) * yaml/pyyaml#480 -- Fix stub compat with older pyyaml versions that may unwittingly load it 5.4 (2021-01-19) * yaml/pyyaml#407 -- Build modernization, remove distutils, fix metadata, build wheels, CI to GHA * yaml/pyyaml#472 -- Fix for CVE-2020-14343, moves arbitrary python tags to UnsafeLoader * yaml/pyyaml#441 -- Fix memory leak in implicit resolver setup * yaml/pyyaml#392 -- Fix py2 copy support for timezone objects * yaml/pyyaml#378 -- Fix compatibility with Jython 5.3.1 (2020-03-18) * yaml/pyyaml#386 -- Prevents arbitrary code execution during python/object/new constructor 5.3 (2020-01-06) * yaml/pyyaml#290 -- Use `is` instead of equality for comparing with `None` * yaml/pyyaml#270 -- Fix typos and stylistic nit * yaml/pyyaml#309 -- Fix up small typo * yaml/pyyaml#161 -- Fix handling of __slots__ * yaml/pyyaml#358 -- Allow calling add_multi_constructor with None * yaml/pyyaml#285 -- Add use of safe_load() function in README * yaml/pyyaml#351 -- Fix reader for Unicode code points over 0xFFFF * yaml/pyyaml#360 -- Enable certain unicode tests when maxunicode not > 0xffff * yaml/pyyaml#359 -- Use full_load in yaml-highlight example * yaml/pyyaml#244 -- Document that PyYAML is implemented with Cython * yaml/pyyaml#329 -- Fix for Python 3.10 * yaml/pyyaml#310 -- Increase size of index, line, and column fields * yaml/pyyaml#260 -- Remove some unused imports * yaml/pyyaml#163 -- Create timezone-aware datetimes when parsed as such * yaml/pyyaml#363 -- Add tests for timezone 5.2 (2019-12-02) * Repair incompatibilities introduced with 5.1. The default Loader was changed, but several methods like add_constructor still used the old default yaml/pyyaml#279 -- A more flexible fix for custom tag constructors yaml/pyyaml#287 -- Change default loader for yaml.add_constructor yaml/pyyaml#305 -- Change default loader for add_implicit_resolver, add_path_resolver * Make FullLoader safer by removing python/object/apply from the default FullLoader yaml/pyyaml#347 -- Move constructor for object/apply to UnsafeConstructor * Fix bug introduced in 5.1 where quoting went wrong on systems with sys.maxunicode <= 0xffff yaml/pyyaml#276 -- Fix logic for quoting special characters * Other PRs: yaml/pyyaml#280 -- Update CHANGES for 5.1 5.1.2 (2019-07-30) * Re-release of 5.1 with regenerated Cython sources to build properly for Python 3.8b2+ 5.1.1 (2019-06-05) * Re-release of 5.1 with regenerated Cython sources to build properly for Python 3.8b1 5.1 (2019-03-13) * yaml/pyyaml#35 -- Some modernization of the test running * yaml/pyyaml#42 -- Install tox in a virtualenv * yaml/pyyaml#45 -- Allow colon in a plain scalar in a flow context * yaml/pyyaml#48 -- Fix typos * yaml/pyyaml#55 -- Improve RepresenterError creation * yaml/pyyaml#59 -- Resolves #57, update readme issues link * yaml/pyyaml#60 -- Document and test Python 3.6 support * yaml/pyyaml#61 -- Use Travis CI built in pip cache support * yaml/pyyaml#62 -- Remove tox workaround for Travis CI * yaml/pyyaml#63 -- Adding support to Unicode characters over codepoint 0xffff * yaml/pyyaml#75 -- add 3.12 changelog * yaml/pyyaml#76 -- Fallback to Pure Python if Compilation fails * yaml/pyyaml#84 -- Drop unsupported Python 3.3 * yaml/pyyaml#102 -- Include license file in the generated wheel package * yaml/pyyaml#105 -- Removed Python 2.6 & 3.3 support * yaml/pyyaml#111 -- Remove commented out Psyco code * yaml/pyyaml#129 -- Remove call to `ord` in lib3 emitter code * yaml/pyyaml#149 -- Test on Python 3.7-dev * yaml/pyyaml#158 -- Support escaped slash in double quotes "\/" * yaml/pyyaml#175 -- Updated link to pypi in release announcement * yaml/pyyaml#181 -- Import Hashable from collections.abc * yaml/pyyaml#194 -- Reverting yaml/pyyaml#74 * yaml/pyyaml#195 -- Build libyaml on travis * yaml/pyyaml#196 -- Force cython when building sdist * yaml/pyyaml#254 -- Allow to turn off sorting keys in Dumper (2) * yaml/pyyaml#256 -- Make default_flow_style=False * yaml/pyyaml#257 -- Deprecate yaml.load and add FullLoader and UnsafeLoader classes * yaml/pyyaml#261 -- Skip certain unicode tests when maxunicode not > 0xffff * yaml/pyyaml#263 -- Windows Appveyor build Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> --git a/config/rootfiles/packages/python3-yaml b/config/rootfiles/packages/python3-yaml x 0870a2346..bd4009a08 100644 * yaml/pyyaml#195 -- Build libyaml on travis * yaml/pyyaml#196 -- Force cython when building sdist * yaml/pyyaml#254 -- Allow to turn off sorting keys in Dumper (2) * yaml/pyyaml#256 -- Make default_flow_style=False * yaml/pyyaml#257 -- Deprecate yaml.load and add FullLoader and Uns oader classes * yaml/pyyaml#261 -- Skip certain unicode tests when maxunicode not xffff * yaml/pyyaml#263 -- Windows Appveyor build Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Closed
10 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Change yaml.load/yaml.dump to be yaml.safe_load/yaml.safe_dump, introduced yaml.danger_dump/yaml.danger_load, and the same for various other classes.
(python2 only at this moment)
Fixes #5