[libvirt] [jenkins-ci PATCH] lcitool: use yaml.safe_load instead of load

Andrea Bolognani abologna at redhat.com
Fri May 3 13:42:49 UTC 2019


On Fri, 2019-05-03 at 11:03 +0100, Daniel P. Berrangé wrote:
> The yaml.load() method is historically unsafe as it allowed for
> arbitrary code execution:
> 
> ./lcitool:323: YAMLLoadWarning: calling yaml.load() without
>  Loader=... is deprecated, as the default Loader is unsafe.
>  Please read https://msg.pyyaml.org/load for full details.
> 
> The PyYAML >= 5.1 is now safe by default, but has none the less
> deprecated the plain load() method to avoid risk for people
> running their app on older versions. For our needs safe_load()
> suffices and is compatible with RHEL-7
> 
> Signed-off-by: Daniel P. Berrangé <berrange at redhat.com>
> ---
>  guests/lcitool | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)

Reviewed-by: Andrea Bolognani <abologna at redhat.com>

-- 
Andrea Bolognani / Red Hat / Virtualization




More information about the libvir-list mailing list