Skip to content

Commit

Permalink
Fix for CVE-2020-14343
Browse files Browse the repository at this point in the history
Original commit: a001f27

Per suggestion yaml#420 (comment)
move a few constructors from full_load to unsafe_load.
  • Loading branch information
ingydotnet authored and perlpunk committed Aug 2, 2022
1 parent 4919528 commit cac92d7
Show file tree
Hide file tree
Showing 4 changed files with 26 additions and 26 deletions.
24 changes: 12 additions & 12 deletions lib/yaml/constructor.py
Original file line number Diff line number Diff line change
Expand Up @@ -707,18 +707,6 @@ def construct_python_object_new(self, suffix, node):
u'tag:yaml.org,2002:python/name:',
FullConstructor.construct_python_name)

FullConstructor.add_multi_constructor(
u'tag:yaml.org,2002:python/module:',
FullConstructor.construct_python_module)

FullConstructor.add_multi_constructor(
u'tag:yaml.org,2002:python/object:',
FullConstructor.construct_python_object)

FullConstructor.add_multi_constructor(
u'tag:yaml.org,2002:python/object/new:',
FullConstructor.construct_python_object_new)

class UnsafeConstructor(FullConstructor):

def find_python_module(self, name, mark):
Expand All @@ -735,6 +723,18 @@ def set_python_instance_state(self, instance, state):
return super(UnsafeConstructor, self).set_python_instance_state(
instance, state, unsafe=True)

UnsafeConstructor.add_multi_constructor(
u'tag:yaml.org,2002:python/module:',
UnsafeConstructor.construct_python_module)

UnsafeConstructor.add_multi_constructor(
u'tag:yaml.org,2002:python/object:',
UnsafeConstructor.construct_python_object)

UnsafeConstructor.add_multi_constructor(
u'tag:yaml.org,2002:python/object/new:',
UnsafeConstructor.construct_python_object_new)

UnsafeConstructor.add_multi_constructor(
u'tag:yaml.org,2002:python/object/apply:',
UnsafeConstructor.construct_python_object_apply)
Expand Down
24 changes: 12 additions & 12 deletions lib3/yaml/constructor.py
Original file line number Diff line number Diff line change
Expand Up @@ -709,18 +709,6 @@ def construct_python_object_new(self, suffix, node):
'tag:yaml.org,2002:python/name:',
FullConstructor.construct_python_name)

FullConstructor.add_multi_constructor(
'tag:yaml.org,2002:python/module:',
FullConstructor.construct_python_module)

FullConstructor.add_multi_constructor(
'tag:yaml.org,2002:python/object:',
FullConstructor.construct_python_object)

FullConstructor.add_multi_constructor(
'tag:yaml.org,2002:python/object/new:',
FullConstructor.construct_python_object_new)

class UnsafeConstructor(FullConstructor):

def find_python_module(self, name, mark):
Expand All @@ -737,6 +725,18 @@ def set_python_instance_state(self, instance, state):
return super(UnsafeConstructor, self).set_python_instance_state(
instance, state, unsafe=True)

UnsafeConstructor.add_multi_constructor(
'tag:yaml.org,2002:python/module:',
UnsafeConstructor.construct_python_module)

UnsafeConstructor.add_multi_constructor(
'tag:yaml.org,2002:python/object:',
UnsafeConstructor.construct_python_object)

UnsafeConstructor.add_multi_constructor(
'tag:yaml.org,2002:python/object/new:',
UnsafeConstructor.construct_python_object_new)

UnsafeConstructor.add_multi_constructor(
'tag:yaml.org,2002:python/object/apply:',
UnsafeConstructor.construct_python_object_apply)
Expand Down
2 changes: 1 addition & 1 deletion tests/lib/test_recursive.py
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ def test_recursive(recursive_filename, verbose=False):
output2 = None
try:
output1 = yaml.dump(value1)
value2 = yaml.load(output1, yaml.FullLoader)
value2 = yaml.load(output1, yaml.UnsafeLoader)
output2 = yaml.dump(value2)
assert output1 == output2, (output1, output2)
finally:
Expand Down
2 changes: 1 addition & 1 deletion tests/lib3/test_recursive.py
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ def test_recursive(recursive_filename, verbose=False):
output2 = None
try:
output1 = yaml.dump(value1)
value2 = yaml.full_load(output1)
value2 = yaml.unsafe_load(output1)
output2 = yaml.dump(value2)
assert output1 == output2, (output1, output2)
finally:
Expand Down

0 comments on commit cac92d7

Please sign in to comment.