YaqlYamlLoader inherits from YamlLoader

Bug #1586078 reported by Kirill Zaitsev on 2016-05-26
270
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-muranoclient
Critical
Kirill Zaitsev
Kilo
Undecided
Unassigned
Liberty
Critical
Kirill Zaitsev
Mitaka
Critical
Kirill Zaitsev
Newton
Critical
Kirill Zaitsev

Bug Description

YaqlYamlLoader inherits from YamlLoader, meaning that it is possible to use extended unsafe tags in yaml files http://pyyaml.org/wiki/PyYAMLDocumentation#YAMLtagsandPythontypes

CVE References

Changed in python-muranoclient:
assignee: nobody → Kirill Zaitsev (kzaitsev)
no longer affects: python-muranoclient/0.5.x
description: updated
tags: added: security
Kirill Zaitsev (kzaitsev) wrote :
Kirill Zaitsev (kzaitsev) wrote :
Kirill Zaitsev (kzaitsev) wrote :
Kirill Zaitsev (kzaitsev) wrote :
Stan Lagun (slagun) wrote :

looks good to be. Tried to test if it can cause old bugs to return again and seems that everything is okay now. However the patch for the engine is missing. And when changing YaqlYamlLoader there remember to change Constructor to SafeConstructor as well

information type: Private Security → Public Security

Reviewed: https://review.openstack.org/333440
Committed: https://git.openstack.org/cgit/openstack/python-muranoclient/commit/?id=cd182ba363a11078ae7a0595f54751c1ebddd2e0
Submitter: Jenkins
Branch: master

commit cd182ba363a11078ae7a0595f54751c1ebddd2e0
Author: Kirill Zaitsev <email address hidden>
Date: Fri May 27 01:04:31 2016 +0300

    Use yaml.SafeLoader instead of yaml.Loader

    Before this patch yaml.Loader was used by the client to create custom
    yaql-enabled yaml loader. It is unsfae do to so, because yaml.Loader is
    capable of creating custom python objects from specifically constructed
    yaml files.
    UI parsing functions also fell back to yaml.Loader if
    the custom loader was not supplied.
    After this patch all yaml load operations are performed with safe
    loaders instead.

    Change-Id: Id9bb6eabda35522271ec394f8758a974878cbb4b
    Closes-Bug: #1586078

Changed in python-muranoclient:
status: In Progress → Fix Released

Reviewed: https://review.openstack.org/333443
Committed: https://git.openstack.org/cgit/openstack/python-muranoclient/commit/?id=e470430814ceddadea66d2e4bb3a9b10b55869e6
Submitter: Jenkins
Branch: stable/mitaka

commit e470430814ceddadea66d2e4bb3a9b10b55869e6
Author: Kirill Zaitsev <email address hidden>
Date: Fri May 27 01:04:31 2016 +0300

    Use yaml.SafeLoader instead of yaml.Loader

    Before this patch yaml.Loader was used by the client to create custom
    yaql-enabled yaml loader. It is unsfae do to so, because yaml.Loader is
    capable of creating custom python objects from specifically constructed
    yaml files.
    UI parsing functions also fell back to yaml.Loader if
    the custom loader was not supplied.
    After this patch all yaml load operations are performed with safe
    loaders instead.

    Change-Id: Id9bb6eabda35522271ec394f8758a974878cbb4b
    Closes-Bug: #1586078

Reviewed: https://review.openstack.org/333444
Committed: https://git.openstack.org/cgit/openstack/python-muranoclient/commit/?id=b1e8a1753ccc3faf06840f675403645311ac9d79
Submitter: Jenkins
Branch: stable/liberty

commit b1e8a1753ccc3faf06840f675403645311ac9d79
Author: Kirill Zaitsev <email address hidden>
Date: Fri May 27 01:04:31 2016 +0300

    Use yaml.SafeLoader instead of yaml.Loader

    Before this patch yaml.Loader was used by the client to create custom
    yaql-enabled yaml loader. It is unsfae do to so, because yaml.Loader is
    capable of creating custom python objects from specifically constructed
    yaml files.
    UI parsing functions also fell back to yaml.Loader if
    the custom loader was not supplied.
    After this patch all yaml load operations are performed with safe
    loaders instead.

    Change-Id: Id9bb6eabda35522271ec394f8758a974878cbb4b
    Closes-Bug: #1586078

description: updated

This issue was fixed in the openstack/python-muranoclient 0.9.0 release.

This issue was fixed in the openstack/python-muranoclient 0.8.5 release.

This issue was fixed in the openstack/python-muranoclient 0.7.3 release.

This issue was fixed in the openstack/python-muranoclient 0.7.3 release.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers