From: Jeremy Stanley <fungi@yuggoth.org>
Date: Sat, 18 Apr 2015 06:54:07 +0000 (+0000)
Subject: Switch to yaml.safe_load for better security
X-Git-Tag: 0.0.1~216
X-Git-Url: https://mudpy.org/gitweb?p=mudpy.git;a=commitdiff_plain;h=7e78772b5ba2efbb84710db0ecd540c9b745217a

Switch to yaml.safe_load for better security

Use the yaml.safe_load to avoid unwanted privilege escalation due to
deserializing unsafe objects. Also switch to yaml.safe.dump for
symmetry, so that we don't write out files we'll later refuse to
parse.
---

diff --git a/lib/mudpy/data.py b/lib/mudpy/data.py
index 062bd87..8386842 100644
--- a/lib/mudpy/data.py
+++ b/lib/mudpy/data.py
@@ -26,7 +26,7 @@ class DataFile:
         """Read a file and create elements accordingly."""
         self.modified = False
         try:
-            self.data = yaml.load(open(self.filename))
+            self.data = yaml.safe_load(open(self.filename))
         except FileNotFoundError:
             # it's normal if the file is one which doesn't exist yet
             log_entry = ("File %s is unavailable." % self.filename, 6)
@@ -162,8 +162,8 @@ class DataFile:
             os.umask(old_umask)
 
             # write and close the file
-            yaml.dump(self.data, allow_unicode=True, default_flow_style=False,
-                      stream=file_descriptor)
+            yaml.safe_dump(self.data, allow_unicode=True,
+                           default_flow_style=False, stream=file_descriptor)
             file_descriptor.close()
 
             # unset the modified flag