48 lines
1.8 KiB
Diff

From 0861bb0df43a20737c38029bcf7d09b14d17352f Mon Sep 17 00:00:00 2001
From: Waylan Limberg <waylan.limberg@icloud.com>
Date: Thu, 14 Mar 2019 09:17:31 -0400
Subject: [PATCH] Update CLI to support PyYAML 5.1
This should avoid any warnings. We use `unsafe_load` because users may
need to pass in actual Python objects. As this is only available from
the CLI, the user has much worse problems if an attacker can use this
as an attach vector.
---
docs/change_log/release-3.1.md | 1 +
markdown/__main__.py | 14 +++++++++++---
2 files changed, 12 insertions(+), 3 deletions(-)
diff --git a/markdown/__main__.py b/markdown/__main__.py
index 38d08fe0..43e486c9 100644
--- a/markdown/__main__.py
+++ b/markdown/__main__.py
@@ -26,9 +26,17 @@
import warnings
import markdown
try:
- import yaml
+ # We use `unsafe_load` because users may need to pass in actual Python
+ # objects. As this is only available from the CLI, the user has much
+ # worse problems if an attacker can use this as an attach vector.
+ from yaml import unsafe_load as yaml_load
except ImportError: # pragma: no cover
- import json as yaml
+ try:
+ # Fall back to PyYAML <5.1
+ from yaml import load as yaml_load
+ except ImportError:
+ # Fall back to JSON
+ from json import load as yaml_load
import logging
from logging import DEBUG, WARNING, CRITICAL
@@ -97,7 +105,7 @@ def parse_options(args=None, values=None):
options.configfile, mode="r", encoding=options.encoding
) as fp:
try:
- extension_configs = yaml.load(fp)
+ extension_configs = yaml_load(fp)
except Exception as e:
message = "Failed parsing extension config file: %s" % \
options.configfile