diff options
author | Ingy döt Net <ingy@ingy.net> | 2021-01-09 10:53:23 -0500 |
---|---|---|
committer | Ingy döt Net <ingy@ingy.net> | 2021-01-13 16:58:40 -0500 |
commit | a001f2782501ad2d24986959f0239a354675f9dc (patch) | |
tree | 918886f579f850e584daf616ca40eb86936f6b7e | |
parent | fe150624146ee631bb0f95e45731e8b01281fed6 (diff) | |
download | pyyaml-git-a001f2782501ad2d24986959f0239a354675f9dc.tar.gz |
Fix for CVE-2020-14343
Per suggestion https://github.com/yaml/pyyaml/issues/420#issuecomment-663888344
move a few constructors from full_load to unsafe_load.
-rw-r--r-- | lib/yaml/constructor.py | 24 | ||||
-rw-r--r-- | lib3/yaml/constructor.py | 24 | ||||
-rw-r--r-- | tests/lib/test_recursive.py | 2 | ||||
-rw-r--r-- | tests/lib3/test_recursive.py | 2 |
4 files changed, 26 insertions, 26 deletions
diff --git a/lib/yaml/constructor.py b/lib/yaml/constructor.py index 794681c..c42ee34 100644 --- a/lib/yaml/constructor.py +++ b/lib/yaml/constructor.py @@ -722,18 +722,6 @@ FullConstructor.add_multi_constructor( u'tag:yaml.org,2002:python/name:', FullConstructor.construct_python_name) -FullConstructor.add_multi_constructor( - u'tag:yaml.org,2002:python/module:', - FullConstructor.construct_python_module) - -FullConstructor.add_multi_constructor( - u'tag:yaml.org,2002:python/object:', - FullConstructor.construct_python_object) - -FullConstructor.add_multi_constructor( - u'tag:yaml.org,2002:python/object/new:', - FullConstructor.construct_python_object_new) - class UnsafeConstructor(FullConstructor): def find_python_module(self, name, mark): @@ -751,6 +739,18 @@ class UnsafeConstructor(FullConstructor): instance, state, unsafe=True) UnsafeConstructor.add_multi_constructor( + u'tag:yaml.org,2002:python/module:', + UnsafeConstructor.construct_python_module) + +UnsafeConstructor.add_multi_constructor( + u'tag:yaml.org,2002:python/object:', + UnsafeConstructor.construct_python_object) + +UnsafeConstructor.add_multi_constructor( + u'tag:yaml.org,2002:python/object/new:', + UnsafeConstructor.construct_python_object_new) + +UnsafeConstructor.add_multi_constructor( u'tag:yaml.org,2002:python/object/apply:', UnsafeConstructor.construct_python_object_apply) diff --git a/lib3/yaml/constructor.py b/lib3/yaml/constructor.py index 1948b12..619acd3 100644 --- a/lib3/yaml/constructor.py +++ b/lib3/yaml/constructor.py @@ -710,18 +710,6 @@ FullConstructor.add_multi_constructor( 'tag:yaml.org,2002:python/name:', FullConstructor.construct_python_name) -FullConstructor.add_multi_constructor( - 'tag:yaml.org,2002:python/module:', - FullConstructor.construct_python_module) - -FullConstructor.add_multi_constructor( - 'tag:yaml.org,2002:python/object:', - FullConstructor.construct_python_object) - -FullConstructor.add_multi_constructor( - 'tag:yaml.org,2002:python/object/new:', - FullConstructor.construct_python_object_new) - class UnsafeConstructor(FullConstructor): def find_python_module(self, name, mark): @@ -739,6 +727,18 @@ class UnsafeConstructor(FullConstructor): instance, state, unsafe=True) UnsafeConstructor.add_multi_constructor( + 'tag:yaml.org,2002:python/module:', + UnsafeConstructor.construct_python_module) + +UnsafeConstructor.add_multi_constructor( + 'tag:yaml.org,2002:python/object:', + UnsafeConstructor.construct_python_object) + +UnsafeConstructor.add_multi_constructor( + 'tag:yaml.org,2002:python/object/new:', + UnsafeConstructor.construct_python_object_new) + +UnsafeConstructor.add_multi_constructor( 'tag:yaml.org,2002:python/object/apply:', UnsafeConstructor.construct_python_object_apply) diff --git a/tests/lib/test_recursive.py b/tests/lib/test_recursive.py index 312204e..04c5798 100644 --- a/tests/lib/test_recursive.py +++ b/tests/lib/test_recursive.py @@ -30,7 +30,7 @@ def test_recursive(recursive_filename, verbose=False): output2 = None try: output1 = yaml.dump(value1) - value2 = yaml.load(output1, yaml.FullLoader) + value2 = yaml.load(output1, yaml.UnsafeLoader) output2 = yaml.dump(value2) assert output1 == output2, (output1, output2) finally: diff --git a/tests/lib3/test_recursive.py b/tests/lib3/test_recursive.py index 74c2ee6..08042c8 100644 --- a/tests/lib3/test_recursive.py +++ b/tests/lib3/test_recursive.py @@ -31,7 +31,7 @@ def test_recursive(recursive_filename, verbose=False): output2 = None try: output1 = yaml.dump(value1) - value2 = yaml.full_load(output1) + value2 = yaml.unsafe_load(output1) output2 = yaml.dump(value2) assert output1 == output2, (output1, output2) finally: |