Use yaml.safe_load: full yaml.load isn't needed

The only reason to use yaml.load instead of safe_load is if one wants to
load serialized objects. Heat's use case is purely to load basic data
structures such as maps/lists/strings. Fixes bug #1117820

Change-Id: I4f6cf2ed4e15405f8b296ccaec737a3779c9867d

diff --git a/heat/common/template_format.py b/heat/common/template_format.py
index e3679d28b4543cedd7c3cfe410f5187b93c11bfb..5430d94fdbf42b1fc52fd2ca93d41429a74da4d0 100644 (file)
--- a/heat/common/template_format.py
+++ b/heat/common/template_format.py
@@ -39,7 +39,7 @@ def parse(tmpl_str):
         tpl = json.loads(tmpl_str)
     else:
         try:
-            tpl = yaml.load(tmpl_str)
+            tpl = yaml.safe_load(tmpl_str)
         except yaml.scanner.ScannerError as e:
             raise ValueError(e)
         else:
@@ -90,7 +90,7 @@ def convert_json_to_yaml(json_str):
     json_str = key_re.sub(order_key, json_str)
 
     # parse the string as json to a python structure
-    tpl = yaml.load(json_str)
+    tpl = yaml.safe_load(json_str)
 
     # dump python structure to yaml
     yml = "HeatTemplateFormatVersion: '2012-12-12'\n" + yaml.safe_dump(tpl)