Repository: incubator-airflow Updated Branches: refs/heads/master 7d95a0dca -> 88d9b0dc9
[AIRFLOW-933] use ast.literal_eval rather eval because ast.literal_eval does not execute input. This PR addresses the following issues: - *(https://issues.apache.org/jira/browse/AIRFLOW- 933)* This PR is trying to solve a secure issue. The test was done by setting up a local web server and reproduce the issue described in JIRA link above. Closes #2117 from amaliujia/master Project: http://git-wip-us.apache.org/repos/asf/incubator-airflow/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-airflow/commit/88d9b0dc Tree: http://git-wip-us.apache.org/repos/asf/incubator-airflow/tree/88d9b0dc Diff: http://git-wip-us.apache.org/repos/asf/incubator-airflow/diff/88d9b0dc Branch: refs/heads/master Commit: 88d9b0dc96e7528c87326c8070ee276e8565545f Parents: 7d95a0d Author: Rui Wang <[email protected]> Authored: Wed Mar 1 14:03:34 2017 -0800 Committer: Dan Davydov <[email protected]> Committed: Wed Mar 1 14:03:37 2017 -0800 ---------------------------------------------------------------------- airflow/www/views.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-airflow/blob/88d9b0dc/airflow/www/views.py ---------------------------------------------------------------------- diff --git a/airflow/www/views.py b/airflow/www/views.py index e064f38..0e065a6 100644 --- a/airflow/www/views.py +++ b/airflow/www/views.py @@ -44,6 +44,7 @@ from flask._compat import PY2 import jinja2 import markdown import nvd3 +import ast from wtforms import ( Form, SelectField, TextAreaField, PasswordField, StringField, validators) @@ -168,7 +169,7 @@ def nobr_f(v, c, m, p): def label_link(v, c, m, p): try: - default_params = eval(m.default_params) + default_params = ast.literal_eval(m.default_params) except: default_params = {} url = url_for(
