From: Jeremy Stanley Date: Sat, 18 Apr 2015 06:54:07 +0000 (+0000) Subject: Switch to yaml.safe_load for better security X-Git-Tag: 0.0.1~216 X-Git-Url: https://mudpy.org/gitweb?a=commitdiff_plain;h=7e78772b5ba2efbb84710db0ecd540c9b745217a;p=mudpy.git Switch to yaml.safe_load for better security Use the yaml.safe_load to avoid unwanted privilege escalation due to deserializing unsafe objects. Also switch to yaml.safe.dump for symmetry, so that we don't write out files we'll later refuse to parse. --- diff --git a/lib/mudpy/data.py b/lib/mudpy/data.py index 062bd87..8386842 100644 --- a/lib/mudpy/data.py +++ b/lib/mudpy/data.py @@ -26,7 +26,7 @@ class DataFile: """Read a file and create elements accordingly.""" self.modified = False try: - self.data = yaml.load(open(self.filename)) + self.data = yaml.safe_load(open(self.filename)) except FileNotFoundError: # it's normal if the file is one which doesn't exist yet log_entry = ("File %s is unavailable." % self.filename, 6) @@ -162,8 +162,8 @@ class DataFile: os.umask(old_umask) # write and close the file - yaml.dump(self.data, allow_unicode=True, default_flow_style=False, - stream=file_descriptor) + yaml.safe_dump(self.data, allow_unicode=True, + default_flow_style=False, stream=file_descriptor) file_descriptor.close() # unset the modified flag