修复用户上传文件中的yaml解析漏洞

zmister2016 · Sep 3, 2021 · bb49e12 · bb49e12
1 parent ce0c9f1
commit bb49e12
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 2 deletions.
diff --git a/CHANGES.md b/CHANGES.md
@@ -1,5 +1,10 @@
 ## 版本更新记录
 
+### v0.7.1 2021-09
+
+- [修复]用户上传文件中yaml加载的安全漏洞；
+
+
 ### v0.7.0 2021-08
 
 - [新增]修改文档页面快捷键（Ctrl+S）保存;

diff --git a/MrDoc/settings.py b/MrDoc/settings.py
@@ -40,7 +40,7 @@
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = CONFIG.getboolean('site','debug',fallback=False)
 
-VERSIONS = '0.6.9'
+VERSIONS = '0.7.0'
 
 ALLOWED_HOSTS = ['*']
 

diff --git a/app_doc/import_utils.py b/app_doc/import_utils.py
@@ -58,7 +58,7 @@ def read_zip(self,zip_file_path,create_user):
         # 读取yaml文件
         try:
             with open(os.path.join(self.temp_dir ,'mrdoc.yaml'),'r',encoding='utf-8') as yaml_file:
-                yaml_str = yaml.load(yaml_file.read())
+                yaml_str = yaml.safe_load(yaml_file.read())
                 project_name = yaml_str['project_name'] \
                     if 'project_name' in yaml_str.keys() else zip_file_path[:-4].split('/')[-1]
                 project_desc = yaml_str['project_desc'] if 'project_desc' in yaml_str.keys() else ''