From 987f7e2749f7f9049b9ce4f10a992879c46dab90 Mon Sep 17 00:00:00 2001
From: Robin Schneider <ypid@riseup.net>
Date: Tue, 21 Feb 2017 22:04:48 +0100
Subject: [PATCH] Fix code execution vulnerability by switching to
 yaml.safe_load

Ref: https://github.com/yaml/pyyaml/issues/5
---
 src/ansiblecmdb/ansible.py | 2 +-
 src/ansiblecmdb/parser.py  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/ansiblecmdb/ansible.py b/src/ansiblecmdb/ansible.py
index 6c49328..e7a39f9 100644
--- a/src/ansiblecmdb/ansible.py
+++ b/src/ansiblecmdb/ansible.py
@@ -122,7 +122,7 @@ def _parse_hostvar_dir(self, inventory_path):
 
             try:
                 f = codecs.open(f_path, 'r', encoding='utf8')
-                invars = yaml.load(f)
+                invars = yaml.safe_load(f)
                 f.close()
                 self.update_host(fname, {'hostvars': invars})
             except Exception as err:
diff --git a/src/ansiblecmdb/parser.py b/src/ansiblecmdb/parser.py
index b4637b0..b6a67ef 100644
--- a/src/ansiblecmdb/parser.py
+++ b/src/ansiblecmdb/parser.py
@@ -181,7 +181,7 @@ def _parse_line_vars(self, line):
         k, v = line.strip().split('=', 1)
         if v.startswith('['):
             try:
-                list_res = yaml.load(v)
+                list_res = yaml.safe_load(v)
                 if isinstance(list_res[0], dict):
                     key_values = list_res[0]
                     return key_values