From 6e6a36944e5f1e20fc11d0092316af8cc65e7801 Mon Sep 17 00:00:00 2001 From: zhuzeyu Date: Wed, 8 Feb 2017 12:02:46 +0800 Subject: [PATCH] Using yaml.safe_load instead of yaml.load It is not safe to call yaml.load with any data received from an untrusted source, we'd better use yaml.safe_load Reference: https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html Change-Id: Ic8bf73bf0f2e2c29eb48094367cf558483be1267 --- ansible/action_plugins/merge_yaml.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/action_plugins/merge_yaml.py b/ansible/action_plugins/merge_yaml.py index 34ba7fb8db..2aca22e964 100755 --- a/ansible/action_plugins/merge_yaml.py +++ b/ansible/action_plugins/merge_yaml.py @@ -19,7 +19,7 @@ import inspect import os from yaml import dump -from yaml import load +from yaml import safe_load try: from yaml import CDumper as Dumper # noqa: F401 from yaml import CLoader as Loader # noqa: F401 @@ -42,7 +42,7 @@ class ActionModule(action.ActionBase): with open(source, 'r') as f: template_data = f.read() template_data = self._templar.template(template_data) - result = load(template_data) + result = safe_load(template_data) return result or {} def run(self, tmp=None, task_vars=None):