From: Clint Byrum <clint@fewbar.com>
Date: Thu, 7 Feb 2013 00:27:23 +0000 (-0800)
Subject: Use yaml.safe_load: full yaml.load isn't needed
X-Git-Tag: 2014.1~925
X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=d2223869f97055bd1012a31a29c3b1df24773a79;p=openstack-build%2Fheat-build.git

Use yaml.safe_load: full yaml.load isn't needed

The only reason to use yaml.load instead of safe_load is if one wants to
load serialized objects. Heat's use case is purely to load basic data
structures such as maps/lists/strings. Fixes bug #1117820

Change-Id: I4f6cf2ed4e15405f8b296ccaec737a3779c9867d
---

diff --git a/heat/common/template_format.py b/heat/common/template_format.py
index e3679d28..5430d94f 100644
--- a/heat/common/template_format.py
+++ b/heat/common/template_format.py
@@ -39,7 +39,7 @@ def parse(tmpl_str):
         tpl = json.loads(tmpl_str)
     else:
         try:
-            tpl = yaml.load(tmpl_str)
+            tpl = yaml.safe_load(tmpl_str)
         except yaml.scanner.ScannerError as e:
             raise ValueError(e)
         else:
@@ -90,7 +90,7 @@ def convert_json_to_yaml(json_str):
     json_str = key_re.sub(order_key, json_str)
 
     # parse the string as json to a python structure
-    tpl = yaml.load(json_str)
+    tpl = yaml.safe_load(json_str)
 
     # dump python structure to yaml
     yml = "HeatTemplateFormatVersion: '2012-12-12'\n" + yaml.safe_dump(tpl)