Fix security vulnerability by using yaml.safe_load instead of yaml.load

ypid · Feb 21, 2017 · 8645e91 · 8645e91
1 parent c9caf8c
commit 8645e91
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 2 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -12,6 +12,14 @@ yaml4rst master - unreleased
 
 .. _yaml4rst master: https://github.com/ypid/yaml4rst/compare/v0.1.3...master
 
+Security
+~~~~~~~~
+
+- The default ``yaml.load`` method from PyYAML which is used to validate the input YAML file is unsafe.
+  Using a maliciously crafted input YAML file, arbitrary code could have been executed when running ``yaml4rst``.
+
+  Refer to the issue `rename load to dangerous_load <https://bitbucket.org/xi/pyyaml/issues/3/rename-load-to-dangerous_load>`_.
+  This has been fixed by switching to ``yaml.safe_load`` (which should really be the default btw). [ypid_]
 
 `yaml4rst v0.1.3`_ - 2017-02-14
 -------------------------------

diff --git a/yaml4rst/reformatter.py b/yaml4rst/reformatter.py
@@ -109,7 +109,7 @@ def read_file(self, input_file):
 
             # Since this parser is very rudimentary, we check at the beginning
             # if the file we got is even valid YAML.
-            yaml.load(self.get_content())
+            yaml.safe_load(self.get_content())
 
     def get_content(self):
         """Return one string containing all lines."""
@@ -147,7 +147,7 @@ def reformat(self):
 
         # Just to ensure that we did not make a mistake.
         self._check_folds()
-        yaml.load(self.get_content())
+        yaml.safe_load(self.get_content())
 
     def write_file(self, output_file):
         """Write the instance lines to the given output file path and save its content for later processing."""