Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
修复用户上传文件中的yaml解析漏洞
  • Loading branch information
zmister committed Sep 3, 2021
1 parent ce0c9f1 commit bb49e12
Show file tree
Hide file tree
Showing 3 changed files with 7 additions and 2 deletions.
5 changes: 5 additions & 0 deletions CHANGES.md
@@ -1,5 +1,10 @@
## 版本更新记录

### v0.7.1 2021-09

- [修复]用户上传文件中yaml加载的安全漏洞;


### v0.7.0 2021-08

- [新增]修改文档页面快捷键(Ctrl+S)保存;
Expand Down
2 changes: 1 addition & 1 deletion MrDoc/settings.py
Expand Up @@ -40,7 +40,7 @@
# SECURITY WARNING: don't run with debug turned on in production!
DEBUG = CONFIG.getboolean('site','debug',fallback=False)

VERSIONS = '0.6.9'
VERSIONS = '0.7.0'

ALLOWED_HOSTS = ['*']

Expand Down
2 changes: 1 addition & 1 deletion app_doc/import_utils.py
Expand Up @@ -58,7 +58,7 @@ def read_zip(self,zip_file_path,create_user):
# 读取yaml文件
try:
with open(os.path.join(self.temp_dir ,'mrdoc.yaml'),'r',encoding='utf-8') as yaml_file:
yaml_str = yaml.load(yaml_file.read())
yaml_str = yaml.safe_load(yaml_file.read())
project_name = yaml_str['project_name'] \
if 'project_name' in yaml_str.keys() else zip_file_path[:-4].split('/')[-1]
project_desc = yaml_str['project_desc'] if 'project_desc' in yaml_str.keys() else ''
Expand Down

0 comments on commit bb49e12

Please sign in to comment.