From 7283f012a9e9e5be2c907008ee332c0c248851f1 Mon Sep 17 00:00:00 2001
From: Palmer Dabbelt <palmer@dabbelt.com>
Date: Wed, 17 Jul 2019 13:38:24 -0700
Subject: [PATCH 1/2] Use yaml.safe_load() instead of yaml.load()

Gentoo has disabled yaml.load() in response to CVE-2017-18342, see
https://bugs.gentoo.org/659348 for more details.  This results in clay
being unusabel on Gentoo systems, as loading the settings YAML causes
the application to fail.

This patch changes the yaml.load() calls to yaml.safe_load(), which
avoids the security issue and has been left enabled by Gentoo.

Signed-off-by: Palmer Dabbelt <palmer@dabbelt.com>
---
 clay/settings.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/clay/settings.py b/clay/settings.py
index db31473..cdbdfdc 100644
--- a/clay/settings.py
+++ b/clay/settings.py
@@ -83,17 +83,17 @@ def _load_config(self):
         Read config from file.
         """
         with open(self._config_file_path, 'r') as settings_file:
-            self._config = yaml.load(settings_file.read())
+            self._config = yaml.safe_load(settings_file.read())
 
         # Load the configuration from Setuptools' ResourceManager API
-        self._default_config = yaml.load(pkg_resources.resource_string(__name__, "config.yaml"))
+        self._default_config = yaml.safe_load(pkg_resources.resource_string(__name__, "config.yaml"))
 
         # We only either the user colour or the default colours to ease parsing logic.
         if os.path.exists(self._colours_file_path):
             with open(self._colours_file_path, 'r') as colours_file:
-                self.colours_config = yaml.load(colours_file.read())
+                self.colours_config = yaml.safe_load(colours_file.read())
         else:
-            self.colours_config = yaml.load(pkg_resources.resource_string(__name__, "colours.yaml"))
+            self.colours_config = yaml.safe_load(pkg_resources.resource_string(__name__, "colours.yaml"))
 
 
     def _load_cache(self):

From 6fa517eaa173e69de550b68690a550a66ca14ab6 Mon Sep 17 00:00:00 2001
From: Palmer Dabbelt <palmer@dabbelt.com>
Date: Wed, 17 Jul 2019 13:40:43 -0700
Subject: [PATCH 2/2] Use yaml.safe_dump() intsead of yaml.dump()

yaml.dump() is capable of producing files that cannot be read by
yaml.load(), which would result in the application being unable to load
the settings file.  I haven't actually seen this happen, I just noticed
safe_dump() when doing the safe_load() change.

Signed-off-by: Palmer Dabbelt <palmer@dabbelt.com>
---
 clay/settings.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/clay/settings.py b/clay/settings.py
index cdbdfdc..1d3e504 100644
--- a/clay/settings.py
+++ b/clay/settings.py
@@ -111,7 +111,7 @@ def _commit_edits(self, config):
         """
         self._config.update(config)
         with open(self._config_file_path, 'w') as settings_file:
-            settings_file.write(yaml.dump(self._config, default_flow_style=False))
+            settings_file.write(yaml.safe_dump(self._config, default_flow_style=False))
 
     def get(self, key, *sections):
         """