Switch to yaml.safe_load for better security

Use the yaml.safe_load to avoid unwanted privilege escalation due to
deserializing unsafe objects. Also switch to yaml.safe.dump for
symmetry, so that we don't write out files we'll later refuse to
parse.

diff --git a/lib/mudpy/data.py b/lib/mudpy/data.py
index 062bd87..8386842 100644 (file)
--- a/lib/mudpy/data.py
+++ b/lib/mudpy/data.py
@@ -26,7 +26,7 @@ class DataFile:
         """Read a file and create elements accordingly."""
         self.modified = False
         try:
-            self.data = yaml.load(open(self.filename))
+            self.data = yaml.safe_load(open(self.filename))
         except FileNotFoundError:
             # it's normal if the file is one which doesn't exist yet
             log_entry = ("File %s is unavailable." % self.filename, 6)
@@ -162,8 +162,8 @@ class DataFile:
             os.umask(old_umask)
 
             # write and close the file
-            yaml.dump(self.data, allow_unicode=True, default_flow_style=False,
-                      stream=file_descriptor)
+            yaml.safe_dump(self.data, allow_unicode=True,
+                           default_flow_style=False, stream=file_descriptor)
             file_descriptor.close()
 
             # unset the modified flag