mirror of
https://github.com/django/django.git
synced 2025-08-03 18:38:50 +00:00
Used yaml.safe_load instead of yaml.load, because safety should be the default.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17062 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Aymeric Augustin
parent
af1893c4ff
commit
d71b4309ca
3 changed files with 15 additions and 5 deletions
|
|
@ -743,6 +743,16 @@ you can easily achieve the same by overriding the `open` method, e.g.::
|
|||
def open(self, name, mode='rb'):
|
||||
return Spam(open(self.path(name), mode))
|
||||
|
||||
YAML deserializer now uses ``yaml.safe_load``
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
``yaml.load`` is able to construct any Python object, which may trigger
|
||||
arbitrary code execution if you process a YAML document that comes from an
|
||||
untrusted source. This feature isn't necessary for Django's YAML deserializer,
|
||||
whose primary use is to load fixtures consisting of simple objects. Even though
|
||||
fixtures are trusted data, for additional security, the YAML deserializer now
|
||||
uses ``yaml.safe_load``.
|
||||
|
||||
.. _deprecated-features-1.4:
|
||||
|
||||
Features deprecated in 1.4
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue