]>
Commit | Line | Data |
---|---|---|
4c99705f JB |
1 | diff --git a/markdown/__main__.py b/markdown/__main__.py |
2 | index 38d08fe0..43e486c9 100644 | |
3 | --- a/markdown/__main__.py | |
4 | +++ b/markdown/__main__.py | |
5 | @@ -26,9 +26,17 @@ | |
6 | import warnings | |
7 | import markdown | |
8 | try: | |
9 | - import yaml | |
10 | + # We use `unsafe_load` because users may need to pass in actual Python | |
11 | + # objects. As this is only available from the CLI, the user has much | |
12 | + # worse problems if an attacker can use this as an attach vector. | |
13 | + from yaml import unsafe_load as yaml_load | |
14 | except ImportError: # pragma: no cover | |
15 | - import json as yaml | |
16 | + try: | |
17 | + # Fall back to PyYAML <5.1 | |
18 | + from yaml import load as yaml_load | |
19 | + except ImportError: | |
20 | + # Fall back to JSON | |
21 | + from json import load as yaml_load | |
22 | ||
23 | import logging | |
24 | from logging import DEBUG, WARNING, CRITICAL | |
25 | @@ -97,7 +105,7 @@ def parse_options(args=None, values=None): | |
26 | options.configfile, mode="r", encoding=options.encoding | |
27 | ) as fp: | |
28 | try: | |
29 | - extension_configs = yaml.load(fp) | |
30 | + extension_configs = yaml_load(fp) | |
31 | except Exception as e: | |
32 | message = "Failed parsing extension config file: %s" % \ | |
33 | options.configfile | |
34 | --- a/tests/__init__.py.orig 2018-01-05 01:41:13.000000000 +0100 | |
35 | +++ b/tests/__init__.py 2019-03-22 22:41:00.850729644 +0100 | |
36 | @@ -17,13 +17,16 @@ | |
37 | except ImportError: | |
38 | tidylib = None | |
39 | try: | |
40 | - import yaml | |
41 | -except ImportError as e: | |
42 | - msg = e.args[0] | |
43 | - msg = msg + ". A YAML library is required to run the Python-Markdown " \ | |
44 | - "tests. Run `pip install pyyaml` to install the latest version." | |
45 | - e.args = (msg,) + e.args[1:] | |
46 | - raise | |
47 | + from yaml import unsafe_load as yaml_load | |
48 | +except ImportError: # PyYAML < 5.1 | |
49 | + try: | |
50 | + from yaml import load as yaml_load | |
51 | + except ImportError as e: | |
52 | + msg = e.args[0] | |
53 | + msg = msg + ". A YAML library is required to run the Python-Markdown " \ | |
54 | + "tests. Run `pip install pyyaml` to install the latest version." | |
55 | + e.args = (msg,) + e.args[1:] | |
56 | + raise | |
57 | ||
58 | test_dir = os.path.abspath(os.path.dirname(__file__)) | |
59 | ||
60 | @@ -36,7 +39,7 @@ | |
61 | self._config = {} | |
62 | if os.path.exists(filename): | |
63 | with codecs.open(filename, encoding="utf-8") as f: | |
64 | - self._config = yaml.load(f) | |
65 | + self._config = yaml_load(f) | |
66 | ||
67 | def get(self, section, option): | |
68 | """ Get config value for given section and option key. """ |