diff options
author | RĂ©mi Duraffort <remi.duraffort@linaro.org> | 2018-06-15 16:12:53 +0200 |
---|---|---|
committer | Neil Williams <neil.williams@linaro.org> | 2018-06-15 17:00:23 +0100 |
commit | 0a8db2d0ec853d3c4675513e69c99c82d4f24ca3 (patch) | |
tree | 5cce7d659a86511335b0c195870bb4232d40ce60 /lava_scheduler_app/api/devices.py | |
parent | 6f40004458564fd3a610e69b9e43a3d0a2708a14 (diff) |
Use requests instead of urlopen
urllib.request.urlopen accepts every url schemes, including "file://" while
requests does not.
This commit fixes a security issue where a user can force lava-server-gunicorn
to download any file from the filesystem if it's:
* readable by lavaserver
* valid yaml
Change-Id: I9f43f16aef814f276f0a563bf6f31cfe9cf481df
Diffstat (limited to 'lava_scheduler_app/api/devices.py')
0 files changed, 0 insertions, 0 deletions