From 600e5abcfef41cd1dded91090c60cca96498c4e3 Mon Sep 17 00:00:00 2001
From: gecong1973 <ge.cong@zte.com.cn>
Date: Sat, 4 Feb 2017 12:16:18 +0800
Subject: [PATCH] Replaces yaml.load() with yaml.safe_load()

Yaml.load() return Python object may be dangerous if
you receive a YAML document from an untrusted source
such as the Internet. The function yaml.safe_load()
limits this ability to simple Python objects like
integers or lists.

Reference:
https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html

Change-Id: I3fea784cb77c699b3262373cb0b7510f841795ac
---
 doc/source/_exts/metadata-docs-rhel7.py | 2 +-
 doc/source/_exts/metadata-docs.py       | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/doc/source/_exts/metadata-docs-rhel7.py b/doc/source/_exts/metadata-docs-rhel7.py
index c1e6485b..487e7770 100644
--- a/doc/source/_exts/metadata-docs-rhel7.py
+++ b/doc/source/_exts/metadata-docs-rhel7.py
@@ -143,7 +143,7 @@ def get_deployer_notes(stig_id):
     _, metadata, text = yaml_boundary.split(rst_file, 2)
 
     # Assemble the metadata and the text from the deployer note.
-    post = yaml.load(metadata)
+    post = yaml.safe_load(metadata)
     post['content'] = text
 
     return post
diff --git a/doc/source/_exts/metadata-docs.py b/doc/source/_exts/metadata-docs.py
index 27a53447..c0cc6743 100644
--- a/doc/source/_exts/metadata-docs.py
+++ b/doc/source/_exts/metadata-docs.py
@@ -99,7 +99,7 @@ def get_deployer_notes(stig_id):
     _, metadata, text = yaml_boundary.split(rst_file, 2)
 
     # Assemble the metadata and the text from the deployer note.
-    post = yaml.load(metadata)
+    post = yaml.safe_load(metadata)
     post['content'] = text
 
     return post