[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[snapshot/master] Switch from yaml.load to yaml.safe_load



yaml.load can cause arbitrary python code to be executed.
For the configuration files this isn't nessecary.
For the state files this could be actively harmful.
---
 OLD/snapshotpy                            |    2 +-
 db/upgrade                                |    2 +-
 fsck/check-2/check-2                      |    2 +-
 fuse/snapshotfs                           |    2 +-
 master/remove-package                     |    2 +-
 mirror/farm-journal-expire                |    2 +-
 mirror/farm-journal-fetch-tarball         |    6 +++---
 mirror/farm-journal-make-tarball          |    2 +-
 mirror/import-new-dumps                   |    2 +-
 misc/dump-tools/add-new-dumps-to-git      |    2 +-
 misc/dump-tools/import-new-dumps-from-git |    2 +-
 11 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/OLD/snapshotpy b/OLD/snapshotpy
index 8c0edff..25a030f 100755
--- a/OLD/snapshotpy
+++ b/OLD/snapshotpy
@@ -46,7 +46,7 @@ def usage(err = False):
     sys.exit(exit)
 
 def readConfig(conffile):
-    return yaml.load(open(conffile).read())
+    return yaml.safe_load(open(conffile).read())
 
 def setupLogger(conf, stdout, quiet):
     if quiet >= 2:
diff --git a/db/upgrade b/db/upgrade
index ed5d453..3e087e4 100755
--- a/db/upgrade
+++ b/db/upgrade
@@ -82,7 +82,7 @@ def usage(err = False):
     sys.exit(exit)
 
 def readConfig(conffile):
-    return yaml.load(open(conffile).read())
+    return yaml.safe_load(open(conffile).read())
 
 def main():
     if len(sys.argv) <= 1:
diff --git a/fsck/check-2/check-2 b/fsck/check-2/check-2
index 2429978..adb7d61 100755
--- a/fsck/check-2/check-2
+++ b/fsck/check-2/check-2
@@ -39,7 +39,7 @@ if options.conffile is None:
     parser.print_help()
     sys.exit(1)
 
-config = yaml.load(open(options.conffile).read())
+config = yaml.safe_load(open(options.conffile).read())
 
 def make_path(digest):
   prefix1 = digest[0:2]
diff --git a/fuse/snapshotfs b/fuse/snapshotfs
index 6415c1d..76de0c9 100755
--- a/fuse/snapshotfs
+++ b/fuse/snapshotfs
@@ -554,7 +554,7 @@ def usage(err = False):
     sys.exit(exit)
 
 def readConfig(conffile):
-    return yaml.load(open(conffile).read())
+    return yaml.safe_load(open(conffile).read())
 
 def main():
    if len(sys.argv) <= 1:
diff --git a/master/remove-package b/master/remove-package
index 5fcf2d7..1d05e6d 100755
--- a/master/remove-package
+++ b/master/remove-package
@@ -74,7 +74,7 @@ if not numactions == 1:
     parser.print_help()
     sys.exit(1)
 
-config = yaml.load(open(options.conffile).read())
+config = yaml.safe_load(open(options.conffile).read())
 db = DBHelper(config['db']['connectstring'])
 
 def make_path(digest):
diff --git a/mirror/farm-journal-expire b/mirror/farm-journal-expire
index 98fc17b..f21f918 100755
--- a/mirror/farm-journal-expire
+++ b/mirror/farm-journal-expire
@@ -44,7 +44,7 @@ if options.conffile is None:
     parser.print_help()
     sys.exit(1)
 
-config = yaml.load(open(options.conffile).read())
+config = yaml.safe_load(open(options.conffile).read())
 
 db = DBHelper(config['db']['connectstring'])
 args = {}
diff --git a/mirror/farm-journal-fetch-tarball b/mirror/farm-journal-fetch-tarball
index 3db27f8..137cd75 100755
--- a/mirror/farm-journal-fetch-tarball
+++ b/mirror/farm-journal-fetch-tarball
@@ -53,7 +53,7 @@ if options.conffile is None:
     parser.print_help()
     sys.exit(1)
 
-config = yaml.load(open(options.conffile).read())
+config = yaml.safe_load(open(options.conffile).read())
 
 def get_statefile_path():
     return os.path.join(config['snapshot']['farmpath'], '.farm-journal-fetch.state')
@@ -100,7 +100,7 @@ def move_file_with_fallback(src, dst):
 statefile = get_statefile_path()
 since = 0
 if os.path.exists(statefile):
-    meta = yaml.load(open(statefile).read())
+    meta = yaml.safe_load(open(statefile).read())
     if 'latest-timestamp' in meta:
         since = int(meta['latest-timestamp'])
 
@@ -125,7 +125,7 @@ try:
 
     if os.path.exists('meta'):
         try:
-            meta = yaml.load(open('meta').read())
+            meta = yaml.safe_load(open('meta').read())
             if 'latest-timestamp' in meta:
                 f = open(statefile, "w")
                 f.write(yaml.dump(meta))
diff --git a/mirror/farm-journal-make-tarball b/mirror/farm-journal-make-tarball
index c3d4449..2cc250f 100755
--- a/mirror/farm-journal-make-tarball
+++ b/mirror/farm-journal-make-tarball
@@ -46,7 +46,7 @@ if options.conffile is None:
     parser.print_help()
     sys.exit(1)
 
-config = yaml.load(open(options.conffile).read())
+config = yaml.safe_load(open(options.conffile).read())
 
 def make_path(digest):
   prefix1 = digest[0:2]
diff --git a/mirror/import-new-dumps b/mirror/import-new-dumps
index 22acbb3..c5e37f5 100755
--- a/mirror/import-new-dumps
+++ b/mirror/import-new-dumps
@@ -57,7 +57,7 @@ if options.conffile is None:
     parser.print_help()
     sys.exit(1)
 
-config = yaml.load(open(options.conffile).read())
+config = yaml.safe_load(open(options.conffile).read())
 db = DBHelper(config['db']['connectstring'])
 os.chdir(config['dump']['incoming-dumppath'])
 
diff --git a/misc/dump-tools/add-new-dumps-to-git b/misc/dump-tools/add-new-dumps-to-git
index 2e9e3c4..7e1c0f4 100755
--- a/misc/dump-tools/add-new-dumps-to-git
+++ b/misc/dump-tools/add-new-dumps-to-git
@@ -97,7 +97,7 @@ if options.extracter is None:
 if options.adder is None:
     options.adder = os.path.join(thisscriptdir, 'add-dump-to-git')
 
-config = yaml.load(open(options.conffile).read())
+config = yaml.safe_load(open(options.conffile).read())
 db = DBHelper(config['db']['connectstring'])
 
 if not os.path.exists(options.snapshot) or not os.access(options.snapshot, os.X_OK):
diff --git a/misc/dump-tools/import-new-dumps-from-git b/misc/dump-tools/import-new-dumps-from-git
index 784c35d..3ea9c6f 100755
--- a/misc/dump-tools/import-new-dumps-from-git
+++ b/misc/dump-tools/import-new-dumps-from-git
@@ -58,7 +58,7 @@ if options.snapshot is None:
 if options.extracter is None:
     options.extracter = os.path.join(thisscriptdir, 'extract-dumps')
 
-config = yaml.load(open(options.conffile).read())
+config = yaml.safe_load(open(options.conffile).read())
 db = DBHelper(config['db']['connectstring'])
 
 if not os.path.exists(options.snapshot) or not os.access(options.snapshot, os.X_OK):
-- 
1.7.2.5


Reply to: