[dak/master] use yaml.safe_{load,dump} functions
The yaml.load() function can run arbitrary code, the safe_load() variant only
understands a safe subset of YAML which is enough for dak.
---
dak/stats.py | 4 ++--
dak/transitions.py | 6 +++---
daklib/checks.py | 4 ++--
daklib/queue.py | 2 --
4 files changed, 7 insertions(+), 9 deletions(-)
diff --git a/dak/stats.py b/dak/stats.py
index 40ecc95..6f69e1a 100755
--- a/dak/stats.py
+++ b/dak/stats.py
@@ -41,7 +41,7 @@ from os import listdir, system, unlink
from os.path import isfile, join, splitext
from re import findall, DOTALL, MULTILINE
from sys import stderr
-from yaml import load, safe_dump
+from yaml import safe_load, safe_dump
from daklib import utils
from daklib.dbconn import DBConn, get_suite_architectures, Suite, Architecture
@@ -340,7 +340,7 @@ def new_stats(logdir, yaml):
global stats
try:
with open(yaml, 'r') as fd:
- stats = load(fd)
+ stats = safe_load(fd)
except IOError:
pass
if not stats:
diff --git a/dak/transitions.py b/dak/transitions.py
index 7409f6f..68c65b6 100755
--- a/dak/transitions.py
+++ b/dak/transitions.py
@@ -134,7 +134,7 @@ def load_transitions(trans_file):
sourcecontent = sourcefile.read()
failure = False
try:
- trans = yaml.load(sourcecontent)
+ trans = yaml.safe_load(sourcecontent)
except yaml.YAMLError as exc:
# Someone fucked it up
print "ERROR: %s" % (exc)
@@ -262,7 +262,7 @@ def write_transitions(from_trans):
temp_lock = lock_file(trans_temp)
destfile = file(trans_temp, 'w')
- yaml.dump(from_trans, destfile, default_flow_style=False)
+ yaml.safe_dump(from_trans, destfile, default_flow_style=False)
destfile.close()
os.rename(trans_temp, trans_file)
@@ -321,7 +321,7 @@ def temp_transitions_file(transitions):
(fd, path) = tempfile.mkstemp("", "transitions", Cnf["Dir::TempPath"])
os.chmod(path, 0o644)
f = open(path, "w")
- yaml.dump(transitions, f, default_flow_style=False)
+ yaml.safe_dump(transitions, f, default_flow_style=False)
return path
################################################################################
diff --git a/daklib/checks.py b/daklib/checks.py
index 14fb02d..f0d19ad 100644
--- a/daklib/checks.py
+++ b/daklib/checks.py
@@ -602,7 +602,7 @@ transition is done.""".format(source, currentlymsg, expected,t["rm"])))
contents = file(path, 'r').read()
try:
- transitions = yaml.load(contents)
+ transitions = yaml.safe_load(contents)
return transitions
except yaml.YAMLError as msg:
utils.warn('Not checking transitions, the transitions file is broken: {0}'.format(msg))
@@ -643,7 +643,7 @@ class LintianCheck(Check):
with open(tagfile, 'r') as sourcefile:
sourcecontent = sourcefile.read()
try:
- lintiantags = yaml.load(sourcecontent)['lintian']
+ lintiantags = yaml.safe_load(sourcecontent)['lintian']
except yaml.YAMLError as msg:
raise Exception('Could not read lintian tags file {0}, YAML error: {1}'.format(tagfile, msg))
diff --git a/daklib/queue.py b/daklib/queue.py
index 8c30626..5a5c8f9 100755
--- a/daklib/queue.py
+++ b/daklib/queue.py
@@ -41,8 +41,6 @@ from types import *
from sqlalchemy.sql.expression import desc
from sqlalchemy.orm.exc import NoResultFound
-import yaml
-
from dak_exceptions import *
from changes import *
from regexes import *
--
1.7.10.4
Reply to: