summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorAymeric Augustin <aymeric.augustin@m4x.org>2011-11-01 20:07:42 +0000
committerAymeric Augustin <aymeric.augustin@m4x.org>2011-11-01 20:07:42 +0000
commitd71b4309ca3c4c7aafc446404f86499c7366a771 (patch)
treea626b4dabd67741b6f5e33c4a48fe2f9f490da0a /docs
parentaf1893c4ff8fdbf227a43a559d90bb1c1238b01a (diff)
Used yaml.safe_load instead of yaml.load, because safety should be the default.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17062 bcc190cf-cafb-0310-a4f2-bffc1f526a37
Diffstat (limited to 'docs')
-rw-r--r--docs/releases/1.4.txt10
1 files changed, 10 insertions, 0 deletions
diff --git a/docs/releases/1.4.txt b/docs/releases/1.4.txt
index 254e85197d..c8e476263b 100644
--- a/docs/releases/1.4.txt
+++ b/docs/releases/1.4.txt
@@ -743,6 +743,16 @@ you can easily achieve the same by overriding the `open` method, e.g.::
def open(self, name, mode='rb'):
return Spam(open(self.path(name), mode))
+YAML deserializer now uses ``yaml.safe_load``
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+``yaml.load`` is able to construct any Python object, which may trigger
+arbitrary code execution if you process a YAML document that comes from an
+untrusted source. This feature isn't necessary for Django's YAML deserializer,
+whose primary use is to load fixtures consisting of simple objects. Even though
+fixtures are trusted data, for additional security, the YAML deserializer now
+uses ``yaml.safe_load``.
+
.. _deprecated-features-1.4:
Features deprecated in 1.4