From 630ae1e92a661003ba45fa33e878048ec550a2d2 Mon Sep 17 00:00:00 2001
From: Nguyen Hung Phuong <phuongnh@vn.fujitsu.com>
Date: Tue, 13 Feb 2018 11:17:08 +0700
Subject: [PATCH] Replaces yaml.load() with yaml.safe_load()

Yaml.load() return Python object may be dangerous if you receive a YAML
document from an untrusted source such as the Internet. The function
yaml.safe_load() limits this ability to simple Python objects like integers or
lists.

Reference:
https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html

Change-Id: Ifa91f90658a70dcedd00a3e036e3f241746e5bd1
---
 zaqar_ui/api/rest/zaqar.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/zaqar_ui/api/rest/zaqar.py b/zaqar_ui/api/rest/zaqar.py
index db038b6..9c59219 100644
--- a/zaqar_ui/api/rest/zaqar.py
+++ b/zaqar_ui/api/rest/zaqar.py
@@ -36,7 +36,7 @@ def _load_yaml(data):
         loaded_data = {}
     else:
         try:
-            loaded_data = yaml.load(data)
+            loaded_data = yaml.safe_load(data)
         except Exception as ex:
             raise Exception(_('The specified input is not a valid '
                               'YAML format: %s') % six.text_type(ex))