From af9d8ff093304b7768b2286bbad48b4f1cb009a8 Mon Sep 17 00:00:00 2001
From: gecong1973 <ge.cong@zte.com.cn>
Date: Sat, 4 Feb 2017 12:05:47 +0800
Subject: [PATCH] Replaces yaml.load() with yaml.safe_load()

Yaml.load() return Python object may be dangerous if
you receive a YAML document from an untrusted source
such as the Internet. The function yaml.safe_load()
limits this ability to simple Python objects like
integers or lists.

Reference:
https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html

Change-Id: Ib260be0cc604f2272e3c676930bcb307752e142b
---
 generate_requirements/generate_requirements.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/generate_requirements/generate_requirements.py b/generate_requirements/generate_requirements.py
index 1729fd25..30d495f4 100644
--- a/generate_requirements/generate_requirements.py
+++ b/generate_requirements/generate_requirements.py
@@ -37,7 +37,7 @@ DEVNULL = open(os.devnull, 'w')
 
 # load the yaml file
 with io.open(filename, 'rb') as f:
-    roles = yaml.load(f)
+    roles = yaml.safe_load(f)
 
 role_names = []
 role_dict = {}
@@ -87,7 +87,7 @@ for role in role_names:
         # Try to read the dependencies from the role's meta/main.yml
         try:
             with io.open(os.path.join(role, "meta", "main.yml")) as f:
-                y = yaml.load(f)
+                y = yaml.safe_load(f)
             for dep in y['dependencies']:
                 try:
                     dep = dep['role']