From 01ebf813c5f67f5b6e83e055a803784548a78603 Mon Sep 17 00:00:00 2001
From: Ansgar Burchardt <ansgar@debian.org>
Date: Sun, 29 Sep 2013 22:57:42 +0200
Subject: [PATCH] use yaml.safe_{load,dump} functions

The yaml.load() function can run arbitrary code, the safe_load() variant only
understands a safe subset of YAML which is enough for dak.
---
 dak/stats.py       | 4 ++--
 dak/transitions.py | 6 +++---
 daklib/checks.py   | 4 ++--
 daklib/queue.py    | 2 --
 4 files changed, 7 insertions(+), 9 deletions(-)

diff --git a/dak/stats.py b/dak/stats.py
index 40ecc95d..6f69e1a7 100755
--- a/dak/stats.py
+++ b/dak/stats.py
@@ -41,7 +41,7 @@ from os import listdir, system, unlink
 from os.path import isfile, join, splitext
 from re import findall, DOTALL, MULTILINE
 from sys import stderr
-from yaml import load, safe_dump
+from yaml import safe_load, safe_dump
 
 from daklib import utils
 from daklib.dbconn import DBConn, get_suite_architectures, Suite, Architecture
@@ -340,7 +340,7 @@ def new_stats(logdir, yaml):
     global stats
     try:
         with open(yaml, 'r') as fd:
-            stats = load(fd)
+            stats = safe_load(fd)
     except IOError:
         pass
     if not stats:
diff --git a/dak/transitions.py b/dak/transitions.py
index 7409f6f9..68c65b6a 100755
--- a/dak/transitions.py
+++ b/dak/transitions.py
@@ -134,7 +134,7 @@ def load_transitions(trans_file):
     sourcecontent = sourcefile.read()
     failure = False
     try:
-        trans = yaml.load(sourcecontent)
+        trans = yaml.safe_load(sourcecontent)
     except yaml.YAMLError as exc:
         # Someone fucked it up
         print "ERROR: %s" % (exc)
@@ -262,7 +262,7 @@ def write_transitions(from_trans):
     temp_lock  = lock_file(trans_temp)
 
     destfile = file(trans_temp, 'w')
-    yaml.dump(from_trans, destfile, default_flow_style=False)
+    yaml.safe_dump(from_trans, destfile, default_flow_style=False)
     destfile.close()
 
     os.rename(trans_temp, trans_file)
@@ -321,7 +321,7 @@ def temp_transitions_file(transitions):
     (fd, path) = tempfile.mkstemp("", "transitions", Cnf["Dir::TempPath"])
     os.chmod(path, 0o644)
     f = open(path, "w")
-    yaml.dump(transitions, f, default_flow_style=False)
+    yaml.safe_dump(transitions, f, default_flow_style=False)
     return path
 
 ################################################################################
diff --git a/daklib/checks.py b/daklib/checks.py
index 14fb02d3..f0d19ad5 100644
--- a/daklib/checks.py
+++ b/daklib/checks.py
@@ -602,7 +602,7 @@ transition is done.""".format(source, currentlymsg, expected,t["rm"])))
 
         contents = file(path, 'r').read()
         try:
-            transitions = yaml.load(contents)
+            transitions = yaml.safe_load(contents)
             return transitions
         except yaml.YAMLError as msg:
             utils.warn('Not checking transitions, the transitions file is broken: {0}'.format(msg))
@@ -643,7 +643,7 @@ class LintianCheck(Check):
         with open(tagfile, 'r') as sourcefile:
             sourcecontent = sourcefile.read()
         try:
-            lintiantags = yaml.load(sourcecontent)['lintian']
+            lintiantags = yaml.safe_load(sourcecontent)['lintian']
         except yaml.YAMLError as msg:
             raise Exception('Could not read lintian tags file {0}, YAML error: {1}'.format(tagfile, msg))
 
diff --git a/daklib/queue.py b/daklib/queue.py
index 8c306267..5a5c8f90 100755
--- a/daklib/queue.py
+++ b/daklib/queue.py
@@ -41,8 +41,6 @@ from types import *
 from sqlalchemy.sql.expression import desc
 from sqlalchemy.orm.exc import NoResultFound
 
-import yaml
-
 from dak_exceptions import *
 from changes import *
 from regexes import *
-- 
2.39.5