lava.git - This project has been moved to https://git.lavasoftware.org/lava/lava See: https://lists.linaro.org/pipermail/lava-announce/2018-September/000064.html

diff options

author	Rémi Duraffort <remi.duraffort@linaro.org>	2018-06-15 16:12:53 +0200
committer	Neil Williams <neil.williams@linaro.org>	2018-06-15 17:00:23 +0100
commit	0a8db2d0ec853d3c4675513e69c99c82d4f24ca3 (patch)
tree	5cce7d659a86511335b0c195870bb4232d40ce60 /lava_scheduler_app/api/devices.py
parent	6f40004458564fd3a610e69b9e43a3d0a2708a14 (diff)

Use requests instead of urlopen

urllib.request.urlopen accepts every url schemes, including "file://" while requests does not. This commit fixes a security issue where a user can force lava-server-gunicorn to download any file from the filesystem if it's: * readable by lavaserver * valid yaml Change-Id: I9f43f16aef814f276f0a563bf6f31cfe9cf481df

Diffstat (limited to 'lava_scheduler_app/api/devices.py')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: