Skip to content

Commit bb49e12

Browse files
author
zmister
committed
修复用户上传文件中的yaml解析漏洞
1 parent ce0c9f1 commit bb49e12

File tree

3 files changed

+7
-2
lines changed

3 files changed

+7
-2
lines changed

Diff for: CHANGES.md

+5
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,10 @@
11
## 版本更新记录
22

3+
### v0.7.1 2021-09
4+
5+
- [修复]用户上传文件中yaml加载的安全漏洞;
6+
7+
38
### v0.7.0 2021-08
49

510
- [新增]修改文档页面快捷键(Ctrl+S)保存;

Diff for: MrDoc/settings.py

+1-1
Original file line numberDiff line numberDiff line change
@@ -40,7 +40,7 @@
4040
# SECURITY WARNING: don't run with debug turned on in production!
4141
DEBUG = CONFIG.getboolean('site','debug',fallback=False)
4242

43-
VERSIONS = '0.6.9'
43+
VERSIONS = '0.7.0'
4444

4545
ALLOWED_HOSTS = ['*']
4646

Diff for: app_doc/import_utils.py

+1-1
Original file line numberDiff line numberDiff line change
@@ -58,7 +58,7 @@ def read_zip(self,zip_file_path,create_user):
5858
# 读取yaml文件
5959
try:
6060
with open(os.path.join(self.temp_dir ,'mrdoc.yaml'),'r',encoding='utf-8') as yaml_file:
61-
yaml_str = yaml.load(yaml_file.read())
61+
yaml_str = yaml.safe_load(yaml_file.read())
6262
project_name = yaml_str['project_name'] \
6363
if 'project_name' in yaml_str.keys() else zip_file_path[:-4].split('/')[-1]
6464
project_desc = yaml_str['project_desc'] if 'project_desc' in yaml_str.keys() else ''

0 commit comments

Comments
 (0)