module defaults to unsafe "load" function
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| pyyaml (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned | ||
Bug Description
The python-yaml module's load function is remarkably unsafe, allowing yaml code to instantiate arbitrary python objects of arbitrary class or type. Hidden away in the documentation is a safe_load() function, which is the one nearly everyone wants to use to process yaml being sent over the wire by heterogeneous systems or APIs.
Please make yaml.load call yaml.safe_load(), and give the other function a name such as unsafe_load()
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: python-yaml 3.10-4build4
ProcVersionSign
Uname: Linux 3.13.0-38-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.5
Architecture: amd64
CurrentDesktop: Unity
Date: Fri Oct 24 08:15:29 2014
InstallationDate: Installed on 2014-05-29 (147 days ago)
InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release amd64 (20140417)
SourcePackage: pyyaml
UpgradeStatus: No upgrade log present (probably fresh install)
| Nick Moffitt (nick-moffitt) wrote | #1 |
| Launchpad Janitor (janitor) wrote | #2 |
| Changed in pyyaml (Ubuntu): | |
| status: | New → Confirmed |
| Scott Kitterman (kitterman) wrote Re: [Bug 1385077] [NEW] module defaults to unsafe "load" function | #3 |
Status changed to 'Confirmed' because the bug affects multiple users.