You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by bo...@apache.org on 2017/03/13 04:45:27 UTC
[29/45] incubator-airflow git commit: [AIRFLOW-933] use
ast.literal_eval rather eval because ast.literal_eval does not execute input.
[AIRFLOW-933] use ast.literal_eval rather eval because ast.literal_eval does not execute
input.
This PR addresses the following issues:
- *(https://issues.apache.org/jira/browse/AIRFLOW-
933)*
This PR is trying to solve a secure issue. The
test was done by setting up a local web server and
reproduce the issue described in JIRA link above.
Closes #2117 from amaliujia/master
Project: http://git-wip-us.apache.org/repos/asf/incubator-airflow/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-airflow/commit/0964f189
Tree: http://git-wip-us.apache.org/repos/asf/incubator-airflow/tree/0964f189
Diff: http://git-wip-us.apache.org/repos/asf/incubator-airflow/diff/0964f189
Branch: refs/heads/v1-8-stable
Commit: 0964f189f2cd2ac10150040670a542910370e456
Parents: f04ea97
Author: Rui Wang <ru...@airbnb.com>
Authored: Wed Mar 1 14:03:34 2017 -0800
Committer: Bolke de Bruin <bo...@Bolkes-MacBook-Pro.local>
Committed: Sun Mar 12 08:21:01 2017 -0700
----------------------------------------------------------------------
airflow/www/views.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-airflow/blob/0964f189/airflow/www/views.py
----------------------------------------------------------------------
diff --git a/airflow/www/views.py b/airflow/www/views.py
index 86b1291..d8acfef 100644
--- a/airflow/www/views.py
+++ b/airflow/www/views.py
@@ -44,6 +44,7 @@ from flask._compat import PY2
import jinja2
import markdown
import nvd3
+import ast
from wtforms import (
Form, SelectField, TextAreaField, PasswordField, StringField, validators)
@@ -168,7 +169,7 @@ def nobr_f(v, c, m, p):
def label_link(v, c, m, p):
try:
- default_params = eval(m.default_params)
+ default_params = ast.literal_eval(m.default_params)
except:
default_params = {}
url = url_for(