Fix for CVE-2020-14343

Per suggestion https://github.com/yaml/pyyaml/issues/420#issuecomment-663888344 move a few constructors from full_load to unsafe_load.
author: Ingy döt Net <ingy@ingy.net> 2021-01-09 10:53:23 -0500
committer: Ingy döt Net <ingy@ingy.net> 2021-01-13 16:58:40 -0500
commit: a001f2782501ad2d24986959f0239a354675f9dc (patch)
tree: 918886f579f850e584daf616ca40eb86936f6b7e
parent: fe150624146ee631bb0f95e45731e8b01281fed6 (diff)
download: pyyaml-git-a001f2782501ad2d24986959f0239a354675f9dc.tar.gz
4 files changed, 26 insertions, 26 deletions
diff --git a/lib/yaml/constructor.py b/lib/yaml/constructor.py
index 794681c..c42ee34 100644
--- a/lib/yaml/constructor.py
+++ b/lib/yaml/constructor.py
@@ -722,18 +722,6 @@ FullConstructor.add_multi_constructor(
     u'tag:yaml.org,2002:python/name:',
     FullConstructor.construct_python_name)
 
-FullConstructor.add_multi_constructor(
-    u'tag:yaml.org,2002:python/module:',
-    FullConstructor.construct_python_module)
-
-FullConstructor.add_multi_constructor(
-    u'tag:yaml.org,2002:python/object:',
-    FullConstructor.construct_python_object)
-
-FullConstructor.add_multi_constructor(
-    u'tag:yaml.org,2002:python/object/new:',
-    FullConstructor.construct_python_object_new)
-
 class UnsafeConstructor(FullConstructor):
 
     def find_python_module(self, name, mark):
@@ -751,6 +739,18 @@ class UnsafeConstructor(FullConstructor):
             instance, state, unsafe=True)
 
 UnsafeConstructor.add_multi_constructor(
+    u'tag:yaml.org,2002:python/module:',
+    UnsafeConstructor.construct_python_module)
+
+UnsafeConstructor.add_multi_constructor(
+    u'tag:yaml.org,2002:python/object:',
+    UnsafeConstructor.construct_python_object)
+
+UnsafeConstructor.add_multi_constructor(
+    u'tag:yaml.org,2002:python/object/new:',
+    UnsafeConstructor.construct_python_object_new)
+
+UnsafeConstructor.add_multi_constructor(
     u'tag:yaml.org,2002:python/object/apply:',
     UnsafeConstructor.construct_python_object_apply)
 
diff --git a/lib3/yaml/constructor.py b/lib3/yaml/constructor.py
index 1948b12..619acd3 100644
--- a/lib3/yaml/constructor.py
+++ b/lib3/yaml/constructor.py
@@ -710,18 +710,6 @@ FullConstructor.add_multi_constructor(
     'tag:yaml.org,2002:python/name:',
     FullConstructor.construct_python_name)
 
-FullConstructor.add_multi_constructor(
-    'tag:yaml.org,2002:python/module:',
-    FullConstructor.construct_python_module)
-
-FullConstructor.add_multi_constructor(
-    'tag:yaml.org,2002:python/object:',
-    FullConstructor.construct_python_object)
-
-FullConstructor.add_multi_constructor(
-    'tag:yaml.org,2002:python/object/new:',
-    FullConstructor.construct_python_object_new)
-
 class UnsafeConstructor(FullConstructor):
 
     def find_python_module(self, name, mark):
@@ -739,6 +727,18 @@ class UnsafeConstructor(FullConstructor):
             instance, state, unsafe=True)
 
 UnsafeConstructor.add_multi_constructor(
+    'tag:yaml.org,2002:python/module:',
+    UnsafeConstructor.construct_python_module)
+
+UnsafeConstructor.add_multi_constructor(
+    'tag:yaml.org,2002:python/object:',
+    UnsafeConstructor.construct_python_object)
+
+UnsafeConstructor.add_multi_constructor(
+    'tag:yaml.org,2002:python/object/new:',
+    UnsafeConstructor.construct_python_object_new)
+
+UnsafeConstructor.add_multi_constructor(
     'tag:yaml.org,2002:python/object/apply:',
     UnsafeConstructor.construct_python_object_apply)
 
diff --git a/tests/lib/test_recursive.py b/tests/lib/test_recursive.py
index 312204e..04c5798 100644
--- a/tests/lib/test_recursive.py
+++ b/tests/lib/test_recursive.py
@@ -30,7 +30,7 @@ def test_recursive(recursive_filename, verbose=False):
     output2 = None
     try:
         output1 = yaml.dump(value1)
-        value2 = yaml.load(output1, yaml.FullLoader)
+        value2 = yaml.load(output1, yaml.UnsafeLoader)
         output2 = yaml.dump(value2)
         assert output1 == output2, (output1, output2)
     finally:
diff --git a/tests/lib3/test_recursive.py b/tests/lib3/test_recursive.py
index 74c2ee6..08042c8 100644
--- a/tests/lib3/test_recursive.py
+++ b/tests/lib3/test_recursive.py
@@ -31,7 +31,7 @@ def test_recursive(recursive_filename, verbose=False):
     output2 = None
     try:
         output1 = yaml.dump(value1)
-        value2 = yaml.full_load(output1)
+        value2 = yaml.unsafe_load(output1)
         output2 = yaml.dump(value2)
         assert output1 == output2, (output1, output2)
     finally:
author	Ingy döt Net <ingy@ingy.net>	2021-01-09 10:53:23 -0500
committer	Ingy döt Net <ingy@ingy.net>	2021-01-13 16:58:40 -0500
commit	a001f2782501ad2d24986959f0239a354675f9dc (patch)
tree	918886f579f850e584daf616ca40eb86936f6b7e
parent	fe150624146ee631bb0f95e45731e8b01281fed6 (diff)
download	pyyaml-git-a001f2782501ad2d24986959f0239a354675f9dc.tar.gz