From a001f2782501ad2d24986959f0239a354675f9dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ingy=20d=C3=B6t=20Net?= Date: Sat, 9 Jan 2021 10:53:23 -0500 Subject: [PATCH] Fix for CVE-2020-14343 Per suggestion https://github.com/yaml/pyyaml/issues/420#issuecomment-663888344 move a few constructors from full_load to unsafe_load. --- lib/yaml/constructor.py | 24 ++++++++++++------------ lib3/yaml/constructor.py | 24 ++++++++++++------------ tests/lib/test_recursive.py | 2 +- tests/lib3/test_recursive.py | 2 +- 4 files changed, 26 insertions(+), 26 deletions(-) diff --git a/lib/yaml/constructor.py b/lib/yaml/constructor.py index 794681cb..c42ee344 100644 --- a/lib/yaml/constructor.py +++ b/lib/yaml/constructor.py @@ -722,18 +722,6 @@ def construct_python_object_new(self, suffix, node): u'tag:yaml.org,2002:python/name:', FullConstructor.construct_python_name) -FullConstructor.add_multi_constructor( - u'tag:yaml.org,2002:python/module:', - FullConstructor.construct_python_module) - -FullConstructor.add_multi_constructor( - u'tag:yaml.org,2002:python/object:', - FullConstructor.construct_python_object) - -FullConstructor.add_multi_constructor( - u'tag:yaml.org,2002:python/object/new:', - FullConstructor.construct_python_object_new) - class UnsafeConstructor(FullConstructor): def find_python_module(self, name, mark): @@ -750,6 +738,18 @@ def set_python_instance_state(self, instance, state): return super(UnsafeConstructor, self).set_python_instance_state( instance, state, unsafe=True) +UnsafeConstructor.add_multi_constructor( + u'tag:yaml.org,2002:python/module:', + UnsafeConstructor.construct_python_module) + +UnsafeConstructor.add_multi_constructor( + u'tag:yaml.org,2002:python/object:', + UnsafeConstructor.construct_python_object) + +UnsafeConstructor.add_multi_constructor( + u'tag:yaml.org,2002:python/object/new:', + UnsafeConstructor.construct_python_object_new) + UnsafeConstructor.add_multi_constructor( u'tag:yaml.org,2002:python/object/apply:', UnsafeConstructor.construct_python_object_apply) diff --git a/lib3/yaml/constructor.py b/lib3/yaml/constructor.py index 1948b125..619acd30 100644 --- a/lib3/yaml/constructor.py +++ b/lib3/yaml/constructor.py @@ -710,18 +710,6 @@ def construct_python_object_new(self, suffix, node): 'tag:yaml.org,2002:python/name:', FullConstructor.construct_python_name) -FullConstructor.add_multi_constructor( - 'tag:yaml.org,2002:python/module:', - FullConstructor.construct_python_module) - -FullConstructor.add_multi_constructor( - 'tag:yaml.org,2002:python/object:', - FullConstructor.construct_python_object) - -FullConstructor.add_multi_constructor( - 'tag:yaml.org,2002:python/object/new:', - FullConstructor.construct_python_object_new) - class UnsafeConstructor(FullConstructor): def find_python_module(self, name, mark): @@ -738,6 +726,18 @@ def set_python_instance_state(self, instance, state): return super(UnsafeConstructor, self).set_python_instance_state( instance, state, unsafe=True) +UnsafeConstructor.add_multi_constructor( + 'tag:yaml.org,2002:python/module:', + UnsafeConstructor.construct_python_module) + +UnsafeConstructor.add_multi_constructor( + 'tag:yaml.org,2002:python/object:', + UnsafeConstructor.construct_python_object) + +UnsafeConstructor.add_multi_constructor( + 'tag:yaml.org,2002:python/object/new:', + UnsafeConstructor.construct_python_object_new) + UnsafeConstructor.add_multi_constructor( 'tag:yaml.org,2002:python/object/apply:', UnsafeConstructor.construct_python_object_apply) diff --git a/tests/lib/test_recursive.py b/tests/lib/test_recursive.py index 312204ea..04c57985 100644 --- a/tests/lib/test_recursive.py +++ b/tests/lib/test_recursive.py @@ -30,7 +30,7 @@ def test_recursive(recursive_filename, verbose=False): output2 = None try: output1 = yaml.dump(value1) - value2 = yaml.load(output1, yaml.FullLoader) + value2 = yaml.load(output1, yaml.UnsafeLoader) output2 = yaml.dump(value2) assert output1 == output2, (output1, output2) finally: diff --git a/tests/lib3/test_recursive.py b/tests/lib3/test_recursive.py index 74c2ee65..08042c81 100644 --- a/tests/lib3/test_recursive.py +++ b/tests/lib3/test_recursive.py @@ -31,7 +31,7 @@ def test_recursive(recursive_filename, verbose=False): output2 = None try: output1 = yaml.dump(value1) - value2 = yaml.full_load(output1) + value2 = yaml.unsafe_load(output1) output2 = yaml.dump(value2) assert output1 == output2, (output1, output2) finally: