Use json.loads instead of eval() on the config

eval isn't safe or secure and shouldn't ever be used in this situation. We can possibly use oslo.config for this, so this is only a partial fix but might be good enough. This change removes a security issue. Partial-Bug: #1783293 Change-Id: Id5c02d92ad7335c3d7d42ac353b88376cdb704fb
2018-07-24 09:38:09 +01:00 · 2018-07-24 09:38:09 +01:00 · 0867becb8f
commit 0867becb8f
parent 8806b5b7d8
1 changed files with 2 additions and 1 deletions
--- a/mistral/config.py
+++ b/mistral/config.py
@ -19,6 +19,7 @@ Configuration options registration and useful routines.
 """

 import itertools
+import json
 import os

 from keystoneauth1 import loading
@ -335,7 +336,7 @@ notifier_opts = [
    ),
    cfg.ListOpt(
        'notify',
-        item_type=eval,
+        item_type=json.loads,
        bounds=True,
        help=_('List of publishers to publish notification.')
    )