The yaml.load() method is historically unsafe as it allowed for arbitrary code execution: ./lcitool:323: YAMLLoadWarning: calling yaml.load() without Loader=... is deprecated, as the default Loader is unsafe. Please read https://msg.pyyaml.org/load for full details. The PyYAML >= 5.1 is now safe by default, but has none the less deprecated the plain load() method to avoid risk for people running their app on older versions. For our needs safe_load() suffices and is compatible with RHEL-7 Signed-off-by: Daniel P. Berrangé <berrange@xxxxxxxxxx> --- guests/lcitool | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/guests/lcitool b/guests/lcitool index 1c18b5a..30b6430 100755 --- a/guests/lcitool +++ b/guests/lcitool @@ -257,7 +257,7 @@ class Inventory: @staticmethod def _add_facts_from_file(facts, yaml_path): with open(yaml_path, "r") as infile: - some_facts = yaml.load(infile) + some_facts = yaml.safe_load(infile) for fact in some_facts: facts[fact] = some_facts[fact] @@ -301,7 +301,7 @@ class Projects: try: with open(mappings_path, "r") as infile: - mappings = yaml.load(infile) + mappings = yaml.safe_load(infile) self._mappings = mappings["mappings"] except Exception as ex: raise Exception("Can't load mappings: {}".format(ex)) @@ -320,7 +320,7 @@ class Projects: try: with open(yaml_path, "r") as infile: - packages = yaml.load(infile) + packages = yaml.safe_load(infile) self._packages[project] = packages["packages"] except Exception as ex: raise Exception( -- 2.21.0 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
