Comment 27 for bug 2048114
Revision history for this message
| Takashi Kajinami (kajinamit) wrote Re: OpenStack Murano Component Information Leakage | #27 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
The overall problem is caused by the format method which internally does eval... I'm unsure if we can restrict the behavior in format or replace it without breaking the existing usage such as "{0}_{1}" or "{foo}_{bar}".
As a safe guard we can introduce an option to disable the format function completely. However it may affect any deployment, where a user is using the format yaql function with valid "safe" usage.
https:/