Make pyyaml safe by default.

lib/yaml/__init__.py

@@ -65,40 +65,48 @@ def load(stream, Loader=Loader):
     """
     Parse the first YAML document in a stream
     and produce the corresponding Python object.
+
+    By default resolve only basic YAML tags, if an alternate Loader is
+    provided, may be dangerous.
     """
     loader = Loader(stream)
     try:
         return loader.get_single_data()
     finally:
         loader.dispose()
+safe_load = load
 
 def load_all(stream, Loader=Loader):
     """
     Parse all YAML documents in a stream
     and produce corresponding Python objects.
+
+    By default resolve only basic YAML tags, if an alternate Loader is
+    provided, may be dangerous.
     """
     loader = Loader(stream)
     try:
         while loader.check_data():
             yield loader.get_data()
     finally:
         loader.dispose()
+safe_load_all = load_all
 
-def safe_load(stream):
+def danger_load(stream):
     """
     Parse the first YAML document in a stream
     and produce the corresponding Python object.
-    Resolve only basic YAML tags.
+    When used on untrusted input, can result in arbitrary code execution.
     """
-    return load(stream, SafeLoader)
+    return load(stream, DangerLoader)
 
-def safe_load_all(stream):
+def danger_load_all(stream):
     """
     Parse all YAML documents in a stream
     and produce corresponding Python objects.
-    Resolve only basic YAML tags.
+    When used on untrusted input, can result in arbitrary code execution.
     """
-    return load_all(stream, SafeLoader)
+    return load_all(stream, DangerLoader)
 
 def emit(events, stream=None, Dumper=Dumper,
         canonical=None, indent=None, width=None,
@@ -193,29 +201,31 @@ def dump_all(documents, stream=None, Dumper=Dumper,
         dumper.dispose()
     if getvalue:
         return getvalue()
+safe_dump_all = dump_all
 
-def dump(data, stream=None, Dumper=Dumper, **kwds):
+def danger_dump_all(documents, stream=None, **kwds):
     """
-    Serialize a Python object into a YAML stream.
+    Serialize a sequence of Python objects into a YAML stream.
+    Produce only basic YAML tags.
     If stream is None, return the produced string instead.
     """
-    return dump_all([data], stream, Dumper=Dumper, **kwds)
+    return dump_all(documents, stream, Dumper=DangerDumper, **kwds)
 
-def safe_dump_all(documents, stream=None, **kwds):
+def dump(data, stream=None, Dumper=Dumper, **kwds):
     """
-    Serialize a sequence of Python objects into a YAML stream.
-    Produce only basic YAML tags.
+    Serialize a Python object into a YAML stream.
     If stream is None, return the produced string instead.
     """
-    return dump_all(documents, stream, Dumper=SafeDumper, **kwds)
+    return dump_all([data], stream, Dumper=Dumper, **kwds)
+safe_dump = dump
 
-def safe_dump(data, stream=None, **kwds):
+def danger_dump(data, stream=None, **kwds):
     """
     Serialize a Python object into a YAML stream.
     Produce only basic YAML tags.
     If stream is None, return the produced string instead.
     """
-    return dump_all([data], stream, Dumper=SafeDumper, **kwds)
+    return dump_all([data], stream, Dumper=DangerDumper, **kwds)
 
 def add_implicit_resolver(tag, regexp, first=None,
         Loader=Loader, Dumper=Dumper):
@@ -312,4 +322,3 @@ def to_yaml(cls, dumper, data):
         return dumper.represent_yaml_object(cls.yaml_tag, data, cls,
                 flow_style=cls.yaml_flow_style)
     to_yaml = classmethod(to_yaml)
-

lib/yaml/cyaml.py

@@ -1,6 +1,6 @@
 
-__all__ = ['CBaseLoader', 'CSafeLoader', 'CLoader',
-        'CBaseDumper', 'CSafeDumper', 'CDumper']
+__all__ = ['CBaseLoader', 'CSafeLoader', 'CLoader', 'CDangerLoader',
+        'CBaseDumper', 'CSafeDumper', 'CDumper', 'CDangerDumper']
 
 from _yaml import CParser, CEmitter
 
@@ -18,14 +18,15 @@ def __init__(self, stream):
         BaseConstructor.__init__(self)
         BaseResolver.__init__(self)
 
-class CSafeLoader(CParser, SafeConstructor, Resolver):
+class CLoader(CParser, SafeConstructor, Resolver):
 
     def __init__(self, stream):
         CParser.__init__(self, stream)
         SafeConstructor.__init__(self)
         Resolver.__init__(self)
+CSafeLoader = CLoader
 
-class CLoader(CParser, Constructor, Resolver):
+class CDangerLoader(CParser, Constructor, Resolver):
 
     def __init__(self, stream):
         CParser.__init__(self, stream)
@@ -49,7 +50,7 @@ def __init__(self, stream,
                 default_flow_style=default_flow_style)
         Resolver.__init__(self)
 
-class CSafeDumper(CEmitter, SafeRepresenter, Resolver):
+class CDumper(CEmitter, SafeRepresenter, Resolver):
 
     def __init__(self, stream,
             default_style=None, default_flow_style=None,
@@ -65,8 +66,9 @@ def __init__(self, stream,
         SafeRepresenter.__init__(self, default_style=default_style,
                 default_flow_style=default_flow_style)
         Resolver.__init__(self)
+CSafeDumper = CDumper
 
-class CDumper(CEmitter, Serializer, Representer, Resolver):
+class CDangerDumper(CEmitter, Serializer, Representer, Resolver):
 
     def __init__(self, stream,
             default_style=None, default_flow_style=None,
@@ -82,4 +84,3 @@ def __init__(self, stream,
         Representer.__init__(self, default_style=default_style,
                 default_flow_style=default_flow_style)
         Resolver.__init__(self)
-

lib/yaml/dumper.py

@@ -1,5 +1,5 @@
 
-__all__ = ['BaseDumper', 'SafeDumper', 'Dumper']
+__all__ = ['BaseDumper', 'SafeDumper', 'Dumper', 'DangerDumper']
 
 from emitter import *
 from serializer import *
@@ -24,7 +24,7 @@ def __init__(self, stream,
                 default_flow_style=default_flow_style)
         Resolver.__init__(self)
 
-class SafeDumper(Emitter, Serializer, SafeRepresenter, Resolver):
+class Dumper(Emitter, Serializer, SafeRepresenter, Resolver):
 
     def __init__(self, stream,
             default_style=None, default_flow_style=None,
@@ -41,8 +41,9 @@ def __init__(self, stream,
         SafeRepresenter.__init__(self, default_style=default_style,
                 default_flow_style=default_flow_style)
         Resolver.__init__(self)
+SafeDumper = Dumper
 
-class Dumper(Emitter, Serializer, Representer, Resolver):
+class DangerDumper(Emitter, Serializer, Representer, Resolver):
 
     def __init__(self, stream,
             default_style=None, default_flow_style=None,
@@ -59,4 +60,3 @@ def __init__(self, stream,
         Representer.__init__(self, default_style=default_style,
                 default_flow_style=default_flow_style)
         Resolver.__init__(self)
-

lib/yaml/loader.py

@@ -1,5 +1,5 @@
 
-__all__ = ['BaseLoader', 'SafeLoader', 'Loader']
+__all__ = ['BaseLoader', 'SafeLoader', 'Loader', 'DangerLoader']
 
 from reader import *
 from scanner import *
@@ -18,7 +18,7 @@ def __init__(self, stream):
         BaseConstructor.__init__(self)
         BaseResolver.__init__(self)
 
-class SafeLoader(Reader, Scanner, Parser, Composer, SafeConstructor, Resolver):
+class Loader(Reader, Scanner, Parser, Composer, SafeConstructor, Resolver):
 
     def __init__(self, stream):
         Reader.__init__(self, stream)
@@ -27,8 +27,9 @@ def __init__(self, stream):
         Composer.__init__(self)
         SafeConstructor.__init__(self)
         Resolver.__init__(self)
+SafeLoader = Loader
 
-class Loader(Reader, Scanner, Parser, Composer, Constructor, Resolver):
+class DangerLoader(Reader, Scanner, Parser, Composer, Constructor, Resolver):
 
     def __init__(self, stream):
         Reader.__init__(self, stream)
@@ -37,4 +38,3 @@ def __init__(self, stream):
         Composer.__init__(self)
         Constructor.__init__(self)
         Resolver.__init__(self)
-

lib3/yaml/__init__.py

@@ -66,40 +66,48 @@ def load(stream, Loader=Loader):
     """
     Parse the first YAML document in a stream
     and produce the corresponding Python object.
+
+    By default resolve only basic YAML tags, if an alternate Loader is
+    provided, may be dangerous.
     """
     loader = Loader(stream)
     try:
         return loader.get_single_data()
     finally:
         loader.dispose()
+safe_load = load
 
 def load_all(stream, Loader=Loader):
     """
     Parse all YAML documents in a stream
     and produce corresponding Python objects.
+
+    By default resolve only basic YAML tags, if an alternate Loader is
+    provided, may be dangerous.
     """
     loader = Loader(stream)
     try:
         while loader.check_data():
             yield loader.get_data()
     finally:
         loader.dispose()
+safe_load_all = load_all
 
-def safe_load(stream):
+def danger_load(stream):
     """
     Parse the first YAML document in a stream
     and produce the corresponding Python object.
-    Resolve only basic YAML tags.
+    When used on untrusted input, can result in arbitrary code execution.
     """
-    return load(stream, SafeLoader)
+    return load(stream, DangerLoader)
 
-def safe_load_all(stream):
+def danger_load_all(stream):
     """
     Parse all YAML documents in a stream
     and produce corresponding Python objects.
-    Resolve only basic YAML tags.
+    When used on untrusted input, can result in arbitrary code execution.
     """
-    return load_all(stream, SafeLoader)
+    return load_all(stream, DangerLoader)
 
 def emit(events, stream=None, Dumper=Dumper,
         canonical=None, indent=None, width=None,
@@ -191,29 +199,31 @@ def dump_all(documents, stream=None, Dumper=Dumper,
         dumper.dispose()
     if getvalue:
         return getvalue()
+safe_dump_all = dump_all
 
-def dump(data, stream=None, Dumper=Dumper, **kwds):
+def danger_dump_all(documents, stream=None, **kwds):
     """
-    Serialize a Python object into a YAML stream.
+    Serialize a sequence of Python objects into a YAML stream.
+    Produce only basic YAML tags.
     If stream is None, return the produced string instead.
     """
-    return dump_all([data], stream, Dumper=Dumper, **kwds)
+    return dump_all(documents, stream, Dumper=DangerDumper, **kwds)
 
-def safe_dump_all(documents, stream=None, **kwds):
+def dump(data, stream=None, Dumper=Dumper, **kwds):
     """
-    Serialize a sequence of Python objects into a YAML stream.
-    Produce only basic YAML tags.
+    Serialize a Python object into a YAML stream.
     If stream is None, return the produced string instead.
     """
-    return dump_all(documents, stream, Dumper=SafeDumper, **kwds)
+    return dump_all([data], stream, Dumper=Dumper, **kwds)
+safe_dump = dump
 
-def safe_dump(data, stream=None, **kwds):
+def danger_dump(data, stream=None, **kwds):
     """
     Serialize a Python object into a YAML stream.
     Produce only basic YAML tags.
     If stream is None, return the produced string instead.
     """
-    return dump_all([data], stream, Dumper=SafeDumper, **kwds)
+    return dump_all([data], stream, Dumper=DangerDumper, **kwds)
 
 def add_implicit_resolver(tag, regexp, first=None,
         Loader=Loader, Dumper=Dumper):

lib3/yaml/cyaml.py

@@ -1,6 +1,6 @@
 
-__all__ = ['CBaseLoader', 'CSafeLoader', 'CLoader',
-        'CBaseDumper', 'CSafeDumper', 'CDumper']
+__all__ = ['CBaseLoader', 'CSafeLoader', 'CLoader', 'CDangerLoader',
+        'CBaseDumper', 'CSafeDumper', 'CDumper', 'CDangerDumper']
 
 from _yaml import CParser, CEmitter
 
@@ -18,14 +18,15 @@ def __init__(self, stream):
         BaseConstructor.__init__(self)
         BaseResolver.__init__(self)
 
-class CSafeLoader(CParser, SafeConstructor, Resolver):
+class CLoader(CParser, SafeConstructor, Resolver):
 
     def __init__(self, stream):
         CParser.__init__(self, stream)
         SafeConstructor.__init__(self)
         Resolver.__init__(self)
+CSafeLoader = CLoader
 
-class CLoader(CParser, Constructor, Resolver):
+class CDangerLoader(CParser, Constructor, Resolver):
 
     def __init__(self, stream):
         CParser.__init__(self, stream)
@@ -49,7 +50,7 @@ def __init__(self, stream,
                 default_flow_style=default_flow_style)
         Resolver.__init__(self)
 
-class CSafeDumper(CEmitter, SafeRepresenter, Resolver):
+class CDumper(CEmitter, SafeRepresenter, Resolver):
 
     def __init__(self, stream,
             default_style=None, default_flow_style=None,
@@ -65,8 +66,9 @@ def __init__(self, stream,
         SafeRepresenter.__init__(self, default_style=default_style,
                 default_flow_style=default_flow_style)
         Resolver.__init__(self)
+CSafeDumper = CDumper
 
-class CDumper(CEmitter, Serializer, Representer, Resolver):
+class CDangerDumper(CEmitter, Serializer, Representer, Resolver):
 
     def __init__(self, stream,
             default_style=None, default_flow_style=None,
@@ -82,4 +84,3 @@ def __init__(self, stream,
         Representer.__init__(self, default_style=default_style,
                 default_flow_style=default_flow_style)
         Resolver.__init__(self)
-

lib3/yaml/dumper.py

@@ -1,5 +1,5 @@
 
-__all__ = ['BaseDumper', 'SafeDumper', 'Dumper']
+__all__ = ['BaseDumper', 'SafeDumper', 'Dumper', 'DangerDumper']
 
 from .emitter import *
 from .serializer import *
@@ -24,7 +24,7 @@ def __init__(self, stream,
                 default_flow_style=default_flow_style)
         Resolver.__init__(self)
 
-class SafeDumper(Emitter, Serializer, SafeRepresenter, Resolver):
+class Dumper(Emitter, Serializer, SafeRepresenter, Resolver):
 
     def __init__(self, stream,
             default_style=None, default_flow_style=None,
@@ -41,8 +41,9 @@ def __init__(self, stream,
         SafeRepresenter.__init__(self, default_style=default_style,
                 default_flow_style=default_flow_style)
         Resolver.__init__(self)
+SafeDumper = Dumper
 
-class Dumper(Emitter, Serializer, Representer, Resolver):
+class DangerDumper(Emitter, Serializer, Representer, Resolver):
 
     def __init__(self, stream,
             default_style=None, default_flow_style=None,
@@ -59,4 +60,3 @@ def __init__(self, stream,
         Representer.__init__(self, default_style=default_style,
                 default_flow_style=default_flow_style)
         Resolver.__init__(self)
-