• Rémi Duraffort's avatar
    Use yaml.safe_load when parsing user data · 583666c8
    Rémi Duraffort authored
    Calling yaml.load() on untrusted data is unsafe and can lead to remote code
    execution.
    
    This commit fixes remote code execution in:
    * the submit page
    * the xmlrpc api
    * the scheduler
    * lava-master and lava-slave
    
    This bug was found by running bandit (https://github.com/PyCQA/bandit).
    
    Change-Id: I80882f9baeb0e7e1c2127f602cc4b206213cb59f
    583666c8
__init__.py 42.1 KB