summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAymeric Augustin <aymeric.augustin@m4x.org>2011-11-01 20:07:42 +0000
committerAymeric Augustin <aymeric.augustin@m4x.org>2011-11-01 20:07:42 +0000
commitd71b4309ca3c4c7aafc446404f86499c7366a771 (patch)
treea626b4dabd67741b6f5e33c4a48fe2f9f490da0a
parentaf1893c4ff8fdbf227a43a559d90bb1c1238b01a (diff)
Used yaml.safe_load instead of yaml.load, because safety should be the default.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17062 bcc190cf-cafb-0310-a4f2-bffc1f526a37
-rw-r--r--django/core/serializers/pyyaml.py2
-rw-r--r--docs/releases/1.4.txt10
-rw-r--r--tests/modeltests/serializers/tests.py8
3 files changed, 15 insertions, 5 deletions
diff --git a/django/core/serializers/pyyaml.py b/django/core/serializers/pyyaml.py
index c443b63bc9..a9f4575823 100644
--- a/django/core/serializers/pyyaml.py
+++ b/django/core/serializers/pyyaml.py
@@ -51,6 +51,6 @@ def Deserializer(stream_or_string, **options):
stream = StringIO(stream_or_string)
else:
stream = stream_or_string
- for obj in PythonDeserializer(yaml.load(stream), **options):
+ for obj in PythonDeserializer(yaml.safe_load(stream), **options):
yield obj
diff --git a/docs/releases/1.4.txt b/docs/releases/1.4.txt
index 254e85197d..c8e476263b 100644
--- a/docs/releases/1.4.txt
+++ b/docs/releases/1.4.txt
@@ -743,6 +743,16 @@ you can easily achieve the same by overriding the `open` method, e.g.::
def open(self, name, mode='rb'):
return Spam(open(self.path(name), mode))
+YAML deserializer now uses ``yaml.safe_load``
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+``yaml.load`` is able to construct any Python object, which may trigger
+arbitrary code execution if you process a YAML document that comes from an
+untrusted source. This feature isn't necessary for Django's YAML deserializer,
+whose primary use is to load fixtures consisting of simple objects. Even though
+fixtures are trusted data, for additional security, the YAML deserializer now
+uses ``yaml.safe_load``.
+
.. _deprecated-features-1.4:
Features deprecated in 1.4
diff --git a/tests/modeltests/serializers/tests.py b/tests/modeltests/serializers/tests.py
index 5e5a4b333a..99c065aeaf 100644
--- a/tests/modeltests/serializers/tests.py
+++ b/tests/modeltests/serializers/tests.py
@@ -425,7 +425,7 @@ else:
@staticmethod
def _validate_output(serial_str):
try:
- yaml.load(StringIO(serial_str))
+ yaml.safe_load(StringIO(serial_str))
except Exception:
return False
else:
@@ -435,7 +435,7 @@ else:
def _get_pk_values(serial_str):
ret_list = []
stream = StringIO(serial_str)
- for obj_dict in yaml.load(stream):
+ for obj_dict in yaml.safe_load(stream):
ret_list.append(obj_dict["pk"])
return ret_list
@@ -443,10 +443,10 @@ else:
def _get_field_values(serial_str, field_name):
ret_list = []
stream = StringIO(serial_str)
- for obj_dict in yaml.load(stream):
+ for obj_dict in yaml.safe_load(stream):
if "fields" in obj_dict and field_name in obj_dict["fields"]:
field_value = obj_dict["fields"][field_name]
- # yaml.load will return non-string objects for some
+ # yaml.safe_load will return non-string objects for some
# of the fields we are interested in, this ensures that
# everything comes back as a string
if isinstance(field_value, basestring):