[Bug 1385077] [NEW] module defaults to unsafe "load" function
Scott Kitterman
ubuntu at kitterman.com
Fri Oct 24 15:08:05 UTC 2014
Have you checked to see what your proposed change might break? pyyaml is used
in a wide variety of settings and such a backward incompatible change seems
risky. Perhaps improving the documentation about which to use when would be a
better approach?
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to pyyaml in Ubuntu.
https://bugs.launchpad.net/bugs/1385077
Title:
module defaults to unsafe "load" function
Status in “pyyaml” package in Ubuntu:
Confirmed
Bug description:
The python-yaml module's load function is remarkably unsafe, allowing
yaml code to instantiate arbitrary python objects of arbitrary class
or type. Hidden away in the documentation is a safe_load() function,
which is the one nearly everyone wants to use to process yaml being
sent over the wire by heterogeneous systems or APIs.
Please make yaml.load call yaml.safe_load(), and give the other
function a name such as unsafe_load()
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: python-yaml 3.10-4build4
ProcVersionSignature: Ubuntu 3.13.0-38.65-generic 3.13.11.8
Uname: Linux 3.13.0-38-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.5
Architecture: amd64
CurrentDesktop: Unity
Date: Fri Oct 24 08:15:29 2014
InstallationDate: Installed on 2014-05-29 (147 days ago)
InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release amd64 (20140417)
SourcePackage: pyyaml
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pyyaml/+bug/1385077/+subscriptions
More information about the foundations-bugs
mailing list