You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by da...@apache.org on 2017/03/01 22:03:46 UTC
incubator-airflow git commit: [AIRFLOW-933] use ast.literal_eval
rather eval because ast.literal_eval does not execute input.
Repository: incubator-airflow
Updated Branches:
refs/heads/master 7d95a0dca -> 88d9b0dc9
[AIRFLOW-933] use ast.literal_eval rather eval because ast.literal_eval does not execute
input.
This PR addresses the following issues:
- *(https://issues.apache.org/jira/browse/AIRFLOW-
933)*
This PR is trying to solve a secure issue. The
test was done by setting up a local web server and
reproduce the issue described in JIRA link above.
Closes #2117 from amaliujia/master
Project: http://git-wip-us.apache.org/repos/asf/incubator-airflow/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-airflow/commit/88d9b0dc
Tree: http://git-wip-us.apache.org/repos/asf/incubator-airflow/tree/88d9b0dc
Diff: http://git-wip-us.apache.org/repos/asf/incubator-airflow/diff/88d9b0dc
Branch: refs/heads/master
Commit: 88d9b0dc96e7528c87326c8070ee276e8565545f
Parents: 7d95a0d
Author: Rui Wang <ru...@airbnb.com>
Authored: Wed Mar 1 14:03:34 2017 -0800
Committer: Dan Davydov <da...@airbnb.com>
Committed: Wed Mar 1 14:03:37 2017 -0800
----------------------------------------------------------------------
airflow/www/views.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-airflow/blob/88d9b0dc/airflow/www/views.py
----------------------------------------------------------------------
diff --git a/airflow/www/views.py b/airflow/www/views.py
index e064f38..0e065a6 100644
--- a/airflow/www/views.py
+++ b/airflow/www/views.py
@@ -44,6 +44,7 @@ from flask._compat import PY2
import jinja2
import markdown
import nvd3
+import ast
from wtforms import (
Form, SelectField, TextAreaField, PasswordField, StringField, validators)
@@ -168,7 +169,7 @@ def nobr_f(v, c, m, p):
def label_link(v, c, m, p):
try:
- default_params = eval(m.default_params)
+ default_params = ast.literal_eval(m.default_params)
except:
default_params = {}
url = url_for(