use yaml.safe_{load,dump} functions

The yaml.load() function can run arbitrary code, the safe_load() variant only understands a safe subset of YAML which is enough for dak.

use yaml.safe_{load,dump} functions
The yaml.load() function can run arbitrary code, the safe_load() variant only understands a safe subset of YAML which is enough for dak.
01ebf813 · Ansgar Burchardt · 9577d0bf · 01ebf813 · 01ebf813 · 01ebf813
隐藏空白更改
内联并排

Showing with 7 addition and 9 deletion

dak/stats.py dak/stats.py +2 -2

dak/transitions.py dak/transitions.py +3 -3

daklib/checks.py daklib/checks.py +2 -2

daklib/queue.py daklib/queue.py +0 -2

未找到文件。
--- a/dak/stats.py
+++ b/dak/stats.py
@@ -41,7 +41,7 @@ from os import listdir, system, unlink
 from os.path import isfile, join, splitext
 from re import findall, DOTALL, MULTILINE
 from sys import stderr
-from yaml import load, safe_dump
+from yaml import safe_load, safe_dump

 from daklib import utils
 from daklib.dbconn import DBConn, get_suite_architectures, Suite, Architecture
@@ -340,7 +340,7 @@ def new_stats(logdir, yaml):
    global stats
    try:
        with open(yaml, 'r') as fd:
-            stats = load(fd)
+            stats = safe_load(fd)
    except IOError:
        pass
    if not stats:

--- a/dak/transitions.py
+++ b/dak/transitions.py
@@ -134,7 +134,7 @@ def load_transitions(trans_file):
    sourcecontent = sourcefile.read()
    failure = False
    try:
-        trans = yaml.load(sourcecontent)
+        trans = yaml.safe_load(sourcecontent)
    except yaml.YAMLError as exc:
        # Someone fucked it up
        print "ERROR: %s" % (exc)
@@ -262,7 +262,7 @@ def write_transitions(from_trans):
    temp_lock  = lock_file(trans_temp)

    destfile = file(trans_temp, 'w')
-    yaml.dump(from_trans, destfile, default_flow_style=False)
+    yaml.safe_dump(from_trans, destfile, default_flow_style=False)
    destfile.close()

    os.rename(trans_temp, trans_file)
@@ -321,7 +321,7 @@ def temp_transitions_file(transitions):
    (fd, path) = tempfile.mkstemp("", "transitions", Cnf["Dir::TempPath"])
    os.chmod(path, 0o644)
    f = open(path, "w")
-    yaml.dump(transitions, f, default_flow_style=False)
+    yaml.safe_dump(transitions, f, default_flow_style=False)
    return path

 ################################################################################

--- a/daklib/checks.py
+++ b/daklib/checks.py
@@ -602,7 +602,7 @@ transition is done.""".format(source, currentlymsg, expected,t["rm"])))

        contents = file(path, 'r').read()
        try:
-            transitions = yaml.load(contents)
+            transitions = yaml.safe_load(contents)
            return transitions
        except yaml.YAMLError as msg:
            utils.warn('Not checking transitions, the transitions file is broken: {0}'.format(msg))
@@ -643,7 +643,7 @@ class LintianCheck(Check):
        with open(tagfile, 'r') as sourcefile:
            sourcecontent = sourcefile.read()
        try:
-            lintiantags = yaml.load(sourcecontent)['lintian']
+            lintiantags = yaml.safe_load(sourcecontent)['lintian']
        except yaml.YAMLError as msg:
            raise Exception('Could not read lintian tags file {0}, YAML error: {1}'.format(tagfile, msg))


--- a/daklib/queue.py
+++ b/daklib/queue.py
@@ -41,8 +41,6 @@ from types import *
 from sqlalchemy.sql.expression import desc
 from sqlalchemy.orm.exc import NoResultFound

-import yaml
-
 from dak_exceptions import *
 from changes import *
 from regexes import *