From 64a549e6db7dc8c2473c835bca2df7a38cda0e34 Mon Sep 17 00:00:00 2001
From: gengchc2 <geng.changcai2@zte.com.cn>
Date: Sat, 4 Feb 2017 18:21:33 +0800
Subject: [PATCH] Replaces yaml.load() with yaml.safe_load()

Yaml.load() return Python object may be dangerous if you receive
a YAML document from an untrusted source such as the Internet.
The function yaml.safe_load() limits this ability to simple Python
objects like integers or lists.

Reference:
https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html

Change-Id: I78fde872948d6838957e35765c3f182bd4b9b512
---
 generate_requirements/generate_requirements.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/generate_requirements/generate_requirements.py b/generate_requirements/generate_requirements.py
index 1729fd25..30d495f4 100644
--- a/generate_requirements/generate_requirements.py
+++ b/generate_requirements/generate_requirements.py
@@ -37,7 +37,7 @@ DEVNULL = open(os.devnull, 'w')
 
 # load the yaml file
 with io.open(filename, 'rb') as f:
-    roles = yaml.load(f)
+    roles = yaml.safe_load(f)
 
 role_names = []
 role_dict = {}
@@ -87,7 +87,7 @@ for role in role_names:
         # Try to read the dependencies from the role's meta/main.yml
         try:
             with io.open(os.path.join(role, "meta", "main.yml")) as f:
-                y = yaml.load(f)
+                y = yaml.safe_load(f)
             for dep in y['dependencies']:
                 try:
                     dep = dep['role']