From bb49e1287700b4e7681eab544c61093821ce72f6 Mon Sep 17 00:00:00 2001 From: zmister Date: Fri, 3 Sep 2021 10:04:52 +0800 Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E5=A4=8D=E7=94=A8=E6=88=B7=E4=B8=8A?= =?UTF-8?q?=E4=BC=A0=E6=96=87=E4=BB=B6=E4=B8=AD=E7=9A=84yaml=E8=A7=A3?= =?UTF-8?q?=E6=9E=90=E6=BC=8F=E6=B4=9E?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- CHANGES.md | 5 +++++ MrDoc/settings.py | 2 +- app_doc/import_utils.py | 2 +- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 638618387..76d29afa8 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,5 +1,10 @@ ## 版本更新记录 +### v0.7.1 2021-09 + +- [修复]用户上传文件中yaml加载的安全漏洞; + + ### v0.7.0 2021-08 - [新增]修改文档页面快捷键(Ctrl+S)保存; diff --git a/MrDoc/settings.py b/MrDoc/settings.py index e08a38f4a..a057d0293 100644 --- a/MrDoc/settings.py +++ b/MrDoc/settings.py @@ -40,7 +40,7 @@ # SECURITY WARNING: don't run with debug turned on in production! DEBUG = CONFIG.getboolean('site','debug',fallback=False) -VERSIONS = '0.6.9' +VERSIONS = '0.7.0' ALLOWED_HOSTS = ['*'] diff --git a/app_doc/import_utils.py b/app_doc/import_utils.py index 3b3b36a36..58a7123e7 100644 --- a/app_doc/import_utils.py +++ b/app_doc/import_utils.py @@ -58,7 +58,7 @@ def read_zip(self,zip_file_path,create_user): # 读取yaml文件 try: with open(os.path.join(self.temp_dir ,'mrdoc.yaml'),'r',encoding='utf-8') as yaml_file: - yaml_str = yaml.load(yaml_file.read()) + yaml_str = yaml.safe_load(yaml_file.read()) project_name = yaml_str['project_name'] \ if 'project_name' in yaml_str.keys() else zip_file_path[:-4].split('/')[-1] project_desc = yaml_str['project_desc'] if 'project_desc' in yaml_str.keys() else ''