[AIRFLOW-933] use ast.literal_eval rather eval because ast.literal_eval does not execute input.
This PR addresses the following issues: - *(https://issues.apache.org/jira/browse/AIRFLOW- 933)* This PR is trying to solve a secure issue. The test was done by setting up a local web server and reproduce the issue described in JIRA link above. Closes #2117 from amaliujia/master Project: http://git-wip-us.apache.org/repos/asf/incubator-airflow/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-airflow/commit/0964f189 Tree: http://git-wip-us.apache.org/repos/asf/incubator-airflow/tree/0964f189 Diff: http://git-wip-us.apache.org/repos/asf/incubator-airflow/diff/0964f189 Branch: refs/heads/v1-8-test Commit: 0964f189f2cd2ac10150040670a542910370e456 Parents: f04ea97 Author: Rui Wang <[email protected]> Authored: Wed Mar 1 14:03:34 2017 -0800 Committer: Bolke de Bruin <[email protected]> Committed: Sun Mar 12 08:21:01 2017 -0700 ---------------------------------------------------------------------- airflow/www/views.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-airflow/blob/0964f189/airflow/www/views.py ---------------------------------------------------------------------- diff --git a/airflow/www/views.py b/airflow/www/views.py index 86b1291..d8acfef 100644 --- a/airflow/www/views.py +++ b/airflow/www/views.py @@ -44,6 +44,7 @@ from flask._compat import PY2 import jinja2 import markdown import nvd3 +import ast from wtforms import ( Form, SelectField, TextAreaField, PasswordField, StringField, validators) @@ -168,7 +169,7 @@ def nobr_f(v, c, m, p): def label_link(v, c, m, p): try: - default_params = eval(m.default_params) + default_params = ast.literal_eval(m.default_params) except: default_params = {} url = url_for(
