You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@airflow.apache.org by da...@apache.org on 2017/03/01 22:03:46 UTC

incubator-airflow git commit: [AIRFLOW-933] use ast.literal_eval rather eval because ast.literal_eval does not execute input.

Repository: incubator-airflow
Updated Branches:
  refs/heads/master 7d95a0dca -> 88d9b0dc9


[AIRFLOW-933] use ast.literal_eval rather eval because ast.literal_eval does not execute
input.

This PR addresses the following issues:
- *(https://issues.apache.org/jira/browse/AIRFLOW-
933)*

This PR is trying to solve a secure issue. The
test was done by setting up a local web server and
reproduce the issue described in JIRA link above.

Closes #2117 from amaliujia/master


Project: http://git-wip-us.apache.org/repos/asf/incubator-airflow/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-airflow/commit/88d9b0dc
Tree: http://git-wip-us.apache.org/repos/asf/incubator-airflow/tree/88d9b0dc
Diff: http://git-wip-us.apache.org/repos/asf/incubator-airflow/diff/88d9b0dc

Branch: refs/heads/master
Commit: 88d9b0dc96e7528c87326c8070ee276e8565545f
Parents: 7d95a0d
Author: Rui Wang <ru...@airbnb.com>
Authored: Wed Mar 1 14:03:34 2017 -0800
Committer: Dan Davydov <da...@airbnb.com>
Committed: Wed Mar 1 14:03:37 2017 -0800

----------------------------------------------------------------------
 airflow/www/views.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-airflow/blob/88d9b0dc/airflow/www/views.py
----------------------------------------------------------------------
diff --git a/airflow/www/views.py b/airflow/www/views.py
index e064f38..0e065a6 100644
--- a/airflow/www/views.py
+++ b/airflow/www/views.py
@@ -44,6 +44,7 @@ from flask._compat import PY2
 import jinja2
 import markdown
 import nvd3
+import ast
 
 from wtforms import (
     Form, SelectField, TextAreaField, PasswordField, StringField, validators)
@@ -168,7 +169,7 @@ def nobr_f(v, c, m, p):
 
 def label_link(v, c, m, p):
     try:
-        default_params = eval(m.default_params)
+        default_params = ast.literal_eval(m.default_params)
     except:
         default_params = {}
     url = url_for(