You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by ar...@apache.org on 2017/03/14 18:38:58 UTC
[1/2] incubator-airflow git commit: [AIRFLOW-933] Replace eval with
literal_eval to prevent RCE
Repository: incubator-airflow
Updated Branches:
refs/heads/master ed03bb719 -> c44e2009e
[AIRFLOW-933] Replace eval with literal_eval to prevent RCE
Replace eval with a literal eval to help prevent arbitrary code
execution on the webserver host.
Project: http://git-wip-us.apache.org/repos/asf/incubator-airflow/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-airflow/commit/2bf52ab1
Tree: http://git-wip-us.apache.org/repos/asf/incubator-airflow/tree/2bf52ab1
Diff: http://git-wip-us.apache.org/repos/asf/incubator-airflow/diff/2bf52ab1
Branch: refs/heads/master
Commit: 2bf52ab16960f00cb9a98ba455d5851aabf6305f
Parents: ed03bb7
Author: Arthur Wiedmer <ar...@gmail.com>
Authored: Tue Mar 14 10:40:23 2017 -0700
Committer: Arthur Wiedmer <ar...@gmail.com>
Committed: Tue Mar 14 10:40:23 2017 -0700
----------------------------------------------------------------------
airflow/www/views.py | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-airflow/blob/2bf52ab1/airflow/www/views.py
----------------------------------------------------------------------
diff --git a/airflow/www/views.py b/airflow/www/views.py
index de33843..15735b4 100644
--- a/airflow/www/views.py
+++ b/airflow/www/views.py
@@ -15,6 +15,7 @@
from past.builtins import basestring, unicode
+import ast
import os
import pkg_resources
import socket
@@ -44,7 +45,6 @@ from flask._compat import PY2
import jinja2
import markdown
import nvd3
-import ast
from wtforms import (
Form, SelectField, TextAreaField, PasswordField, StringField, validators)
@@ -231,8 +231,8 @@ def data_profiling_required(f):
@wraps(f)
def decorated_function(*args, **kwargs):
if (
- current_app.config['LOGIN_DISABLED'] or
- (not current_user.is_anonymous() and current_user.data_profiling())
+ current_app.config['LOGIN_DISABLED'] or
+ (not current_user.is_anonymous() and current_user.data_profiling())
):
return f(*args, **kwargs)
else:
@@ -312,7 +312,7 @@ class Airflow(BaseView):
# Processing templated fields
try:
- args = eval(chart.default_params)
+ args = ast.literal_eval(chart.default_params)
if type(args) is not type(dict()):
raise AirflowException('Not a dict')
except:
[2/2] incubator-airflow git commit: Merge pull request #2150 from
artwr/artwr-fix_another_use_of_eval
Posted by ar...@apache.org.
Merge pull request #2150 from artwr/artwr-fix_another_use_of_eval
Project: http://git-wip-us.apache.org/repos/asf/incubator-airflow/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-airflow/commit/c44e2009
Tree: http://git-wip-us.apache.org/repos/asf/incubator-airflow/tree/c44e2009
Diff: http://git-wip-us.apache.org/repos/asf/incubator-airflow/diff/c44e2009
Branch: refs/heads/master
Commit: c44e2009ee625ce4a82c50e585a3c8617d9b4ff8
Parents: ed03bb7 2bf52ab
Author: Arthur Wiedmer <ar...@gmail.com>
Authored: Tue Mar 14 11:39:45 2017 -0700
Committer: Arthur Wiedmer <ar...@gmail.com>
Committed: Tue Mar 14 11:39:45 2017 -0700
----------------------------------------------------------------------
airflow/www/views.py | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
----------------------------------------------------------------------