PyYAML/CVE-2020-14343.patch

From 7adc0db3f613a82669f2b168edd98379b83adb3c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ingy=20d=C3=B6t=20Net?= <ingy@ingy.net>
Date: Sat, 9 Jan 2021 10:53:23 -0500
Subject: [PATCH] Fix for CVE-2020-14343

Per suggestion https://github.com/yaml/pyyaml/issues/420#issuecomment-663888344
move a few constructors from full_load to unsafe_load.
---
 lib/yaml/constructor.py      | 24 ++++++++++++------------
 lib3/yaml/constructor.py     | 24 ++++++++++++------------
 tests/lib/test_recursive.py  |  2 +-
 tests/lib3/test_recursive.py |  2 +-
 4 files changed, 26 insertions(+), 26 deletions(-)

diff --git a/lib/yaml/constructor.py b/lib/yaml/constructor.py
index 794681cb..c42ee344 100644
--- a/lib/yaml/constructor.py
+++ b/lib/yaml/constructor.py
@@ -722,18 +722,6 @@ def construct_python_object_new(self, suffix, node):
     u'tag:yaml.org,2002:python/name:',
     FullConstructor.construct_python_name)
 
-FullConstructor.add_multi_constructor(
-    u'tag:yaml.org,2002:python/module:',
-    FullConstructor.construct_python_module)
-
-FullConstructor.add_multi_constructor(
-    u'tag:yaml.org,2002:python/object:',
-    FullConstructor.construct_python_object)
-
-FullConstructor.add_multi_constructor(
-    u'tag:yaml.org,2002:python/object/new:',
-    FullConstructor.construct_python_object_new)
-
 class UnsafeConstructor(FullConstructor):
 
     def find_python_module(self, name, mark):
@@ -750,6 +738,18 @@ def set_python_instance_state(self, instance, state):
         return super(UnsafeConstructor, self).set_python_instance_state(
             instance, state, unsafe=True)
 
+UnsafeConstructor.add_multi_constructor(
+    u'tag:yaml.org,2002:python/module:',
+    UnsafeConstructor.construct_python_module)
+
+UnsafeConstructor.add_multi_constructor(
+    u'tag:yaml.org,2002:python/object:',
+    UnsafeConstructor.construct_python_object)
+
+UnsafeConstructor.add_multi_constructor(
+    u'tag:yaml.org,2002:python/object/new:',
+    UnsafeConstructor.construct_python_object_new)
+
 UnsafeConstructor.add_multi_constructor(
     u'tag:yaml.org,2002:python/object/apply:',
     UnsafeConstructor.construct_python_object_apply)
diff --git a/lib3/yaml/constructor.py b/lib3/yaml/constructor.py
index 1948b125..619acd30 100644
--- a/lib3/yaml/constructor.py
+++ b/lib3/yaml/constructor.py
@@ -710,18 +710,6 @@ def construct_python_object_new(self, suffix, node):
     'tag:yaml.org,2002:python/name:',
     FullConstructor.construct_python_name)
 
-FullConstructor.add_multi_constructor(
-    'tag:yaml.org,2002:python/module:',
-    FullConstructor.construct_python_module)
-
-FullConstructor.add_multi_constructor(
-    'tag:yaml.org,2002:python/object:',
-    FullConstructor.construct_python_object)
-
-FullConstructor.add_multi_constructor(
-    'tag:yaml.org,2002:python/object/new:',
-    FullConstructor.construct_python_object_new)
-
 class UnsafeConstructor(FullConstructor):
 
     def find_python_module(self, name, mark):
@@ -738,6 +726,18 @@ def set_python_instance_state(self, instance, state):
         return super(UnsafeConstructor, self).set_python_instance_state(
             instance, state, unsafe=True)
 
+UnsafeConstructor.add_multi_constructor(
+    'tag:yaml.org,2002:python/module:',
+    UnsafeConstructor.construct_python_module)
+
+UnsafeConstructor.add_multi_constructor(
+    'tag:yaml.org,2002:python/object:',
+    UnsafeConstructor.construct_python_object)
+
+UnsafeConstructor.add_multi_constructor(
+    'tag:yaml.org,2002:python/object/new:',
+    UnsafeConstructor.construct_python_object_new)
+
 UnsafeConstructor.add_multi_constructor(
     'tag:yaml.org,2002:python/object/apply:',
     UnsafeConstructor.construct_python_object_apply)
diff --git a/tests/lib/test_recursive.py b/tests/lib/test_recursive.py
index 312204ea..04c57985 100644
--- a/tests/lib/test_recursive.py
+++ b/tests/lib/test_recursive.py
@@ -30,7 +30,7 @@ def test_recursive(recursive_filename, verbose=False):
     output2 = None
     try:
         output1 = yaml.dump(value1)
-        value2 = yaml.load(output1, yaml.FullLoader)
+        value2 = yaml.load(output1, yaml.UnsafeLoader)
         output2 = yaml.dump(value2)
         assert output1 == output2, (output1, output2)
     finally:
diff --git a/tests/lib3/test_recursive.py b/tests/lib3/test_recursive.py
index 74c2ee65..08042c81 100644
--- a/tests/lib3/test_recursive.py
+++ b/tests/lib3/test_recursive.py
@@ -31,7 +31,7 @@ def test_recursive(recursive_filename, verbose=False):
     output2 = None
     try:
         output1 = yaml.dump(value1)
-        value2 = yaml.full_load(output1)
+        value2 = yaml.unsafe_load(output1)
         output2 = yaml.dump(value2)
         assert output1 == output2, (output1, output2)
     finally:
Fix CVE-2020-14343 2021-06-11 16:03:47 +08:00			`From 7adc0db3f613a82669f2b168edd98379b83adb3c Mon Sep 17 00:00:00 2001`
			`From: =?UTF-8?q?Ingy=20d=C3=B6t=20Net?= <ingy@ingy.net>`
			`Date: Sat, 9 Jan 2021 10:53:23 -0500`
			`Subject: [PATCH] Fix for CVE-2020-14343`

			`Per suggestion https://github.com/yaml/pyyaml/issues/420#issuecomment-663888344`
			`move a few constructors from full_load to unsafe_load.`
			`---`
			`lib/yaml/constructor.py \| 24 ++++++++++++------------`
			`lib3/yaml/constructor.py \| 24 ++++++++++++------------`
			`tests/lib/test_recursive.py \| 2 +-`
			`tests/lib3/test_recursive.py \| 2 +-`
			`4 files changed, 26 insertions(+), 26 deletions(-)`

			`diff --git a/lib/yaml/constructor.py b/lib/yaml/constructor.py`
			`index 794681cb..c42ee344 100644`
			`--- a/lib/yaml/constructor.py`
			`+++ b/lib/yaml/constructor.py`
			`@@ -722,18 +722,6 @@ def construct_python_object_new(self, suffix, node):`
			`u'tag:yaml.org,2002:python/name:',`
			`FullConstructor.construct_python_name)`

			`-FullConstructor.add_multi_constructor(`
			`- u'tag:yaml.org,2002:python/module:',`
			`- FullConstructor.construct_python_module)`
			`-`
			`-FullConstructor.add_multi_constructor(`
			`- u'tag:yaml.org,2002:python/object:',`
			`- FullConstructor.construct_python_object)`
			`-`
			`-FullConstructor.add_multi_constructor(`
			`- u'tag:yaml.org,2002:python/object/new:',`
			`- FullConstructor.construct_python_object_new)`
			`-`
			`class UnsafeConstructor(FullConstructor):`

			`def find_python_module(self, name, mark):`
			`@@ -750,6 +738,18 @@ def set_python_instance_state(self, instance, state):`
			`return super(UnsafeConstructor, self).set_python_instance_state(`
			`instance, state, unsafe=True)`

			`+UnsafeConstructor.add_multi_constructor(`
			`+ u'tag:yaml.org,2002:python/module:',`
			`+ UnsafeConstructor.construct_python_module)`
			`+`
			`+UnsafeConstructor.add_multi_constructor(`
			`+ u'tag:yaml.org,2002:python/object:',`
			`+ UnsafeConstructor.construct_python_object)`
			`+`
			`+UnsafeConstructor.add_multi_constructor(`
			`+ u'tag:yaml.org,2002:python/object/new:',`
			`+ UnsafeConstructor.construct_python_object_new)`
			`+`
			`UnsafeConstructor.add_multi_constructor(`
			`u'tag:yaml.org,2002:python/object/apply:',`
			`UnsafeConstructor.construct_python_object_apply)`
			`diff --git a/lib3/yaml/constructor.py b/lib3/yaml/constructor.py`
			`index 1948b125..619acd30 100644`
			`--- a/lib3/yaml/constructor.py`
			`+++ b/lib3/yaml/constructor.py`
			`@@ -710,18 +710,6 @@ def construct_python_object_new(self, suffix, node):`
			`'tag:yaml.org,2002:python/name:',`
			`FullConstructor.construct_python_name)`

			`-FullConstructor.add_multi_constructor(`
			`- 'tag:yaml.org,2002:python/module:',`
			`- FullConstructor.construct_python_module)`
			`-`
			`-FullConstructor.add_multi_constructor(`
			`- 'tag:yaml.org,2002:python/object:',`
			`- FullConstructor.construct_python_object)`
			`-`
			`-FullConstructor.add_multi_constructor(`
			`- 'tag:yaml.org,2002:python/object/new:',`
			`- FullConstructor.construct_python_object_new)`
			`-`
			`class UnsafeConstructor(FullConstructor):`

			`def find_python_module(self, name, mark):`
			`@@ -738,6 +726,18 @@ def set_python_instance_state(self, instance, state):`
			`return super(UnsafeConstructor, self).set_python_instance_state(`
			`instance, state, unsafe=True)`

			`+UnsafeConstructor.add_multi_constructor(`
			`+ 'tag:yaml.org,2002:python/module:',`
			`+ UnsafeConstructor.construct_python_module)`
			`+`
			`+UnsafeConstructor.add_multi_constructor(`
			`+ 'tag:yaml.org,2002:python/object:',`
			`+ UnsafeConstructor.construct_python_object)`
			`+`
			`+UnsafeConstructor.add_multi_constructor(`
			`+ 'tag:yaml.org,2002:python/object/new:',`
			`+ UnsafeConstructor.construct_python_object_new)`
			`+`
			`UnsafeConstructor.add_multi_constructor(`
			`'tag:yaml.org,2002:python/object/apply:',`
			`UnsafeConstructor.construct_python_object_apply)`
			`diff --git a/tests/lib/test_recursive.py b/tests/lib/test_recursive.py`
			`index 312204ea..04c57985 100644`
			`--- a/tests/lib/test_recursive.py`
			`+++ b/tests/lib/test_recursive.py`
			`@@ -30,7 +30,7 @@ def test_recursive(recursive_filename, verbose=False):`
			`output2 = None`
			`try:`
			`output1 = yaml.dump(value1)`
			`- value2 = yaml.load(output1, yaml.FullLoader)`
			`+ value2 = yaml.load(output1, yaml.UnsafeLoader)`
			`output2 = yaml.dump(value2)`
			`assert output1 == output2, (output1, output2)`
			`finally:`
			`diff --git a/tests/lib3/test_recursive.py b/tests/lib3/test_recursive.py`
			`index 74c2ee65..08042c81 100644`
			`--- a/tests/lib3/test_recursive.py`
			`+++ b/tests/lib3/test_recursive.py`
			`@@ -31,7 +31,7 @@ def test_recursive(recursive_filename, verbose=False):`
			`output2 = None`
			`try:`
			`output1 = yaml.dump(value1)`
			`- value2 = yaml.full_load(output1)`
			`+ value2 = yaml.unsafe_load(output1)`
			`output2 = yaml.dump(value2)`
			`assert output1 == output2, (output1, output2)`
			`finally:`