openstack/python-muranoclient
Code Issues Proposed changes
839e5d8285
python-muranoclient/releasenotes/notes/safeloader-cve-2016-4972-e3f7ad9b234655ca.yaml
Kirill Zaitsev cd182ba363 Use yaml.SafeLoader instead of yaml.Loader 
Before this patch yaml.Loader was used by the client to create custom
yaql-enabled yaml loader. It is unsfae do to so, because yaml.Loader is
capable of creating custom python objects from specifically constructed
yaml files.
UI parsing functions also fell back to yaml.Loader if
the custom loader was not supplied.
After this patch all yaml load operations are performed with safe
loaders instead.

Change-Id: Id9bb6eabda35522271ec394f8758a974878cbb4b
Closes-Bug: #1586078
2016-06-23 18:26:23 +03:00

10 lines
405 B
YAML
Raw Blame History

---
security:
- cve-2016-4972 has been addressed. In ceveral places
Murano used loaders inherited directly from yaml.Loader
when parsing MuranoPL and UI files from packages.
This is unsafe, because this loader is capable of creating
custom python objects from specifically constructed
yaml files. With this change all yaml loading operations are done
using safe loaders instead.
View Git Blame Copy Permalink