[Reproducible-commits] [notes] 01/01: pre-receive: Fix theoretical security issue
Daniel Shahaf
danielsh at apache.org
Sun May 8 16:01:39 UTC 2016
This is an automated email from the git hooks/post-receive script.
danielsh-guest pushed a commit to branch master
in repository notes.
commit 5a0999c83604d474182334568098574d9ae55cc7
Author: Daniel Shahaf <d.s at daniel.shahaf.name>
Date: Sun May 8 15:53:21 2016 +0000
pre-receive: Fix theoretical security issue
'yaml.load' may run arbitrary code, however, that isn't an issue in
the current alioth git setup.
---
hooks/pre-receive | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hooks/pre-receive b/hooks/pre-receive
index 2ef4bba..b153aab 100755
--- a/hooks/pre-receive
+++ b/hooks/pre-receive
@@ -28,8 +28,8 @@ def ensure_issues_are_known(issues, packages):
def main():
for ref_line in sys.stdin:
old_value, new_value, ref_name = ref_line.strip().split(' ', 3)
- issues = yaml.load(read_from_git(new_value, 'issues.yml'))
- packages = yaml.load(read_from_git(new_value, 'packages.yml'))
+ issues = yaml.safe_load(read_from_git(new_value, 'issues.yml'))
+ packages = yaml.safe_load(read_from_git(new_value, 'packages.yml'))
validate_issues(issues)
ensure_issues_are_known(issues, packages)
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/reproducible/notes.git
More information about the Reproducible-commits
mailing list