From 8e88373a82d721647e3d113fa8a2e3d60748f23d Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <patrick@puiterwijk.org>
Date: Tue, 13 Nov 2018 21:11:02 +0100
Subject: [PATCH] Move from yaml.load to yaml.safe_load

yaml.load is equally powerful as python pickles, and we don't
need that level of power for the ostree yaml files.
Better safe than sorry.

Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
---
 pungi/ostree/utils.py       | 2 +-
 tests/test_ostree_script.py | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/pungi/ostree/utils.py b/pungi/ostree/utils.py
index 06494dfa..817e74f3 100644
--- a/pungi/ostree/utils.py
+++ b/pungi/ostree/utils.py
@@ -81,7 +81,7 @@ def tweak_treeconf(treeconf, source_repos=None, keep_original_sources=False, upd
         # rpm-ostree now supports YAML, but we'll end up converting it to JSON.
         # https://github.com/projectatomic/rpm-ostree/pull/1377
         if treeconf.endswith('.yaml'):
-            treeconf_content = yaml.load(f)
+            treeconf_content = yaml.safe_load(f)
             treeconf = treeconf.replace('.yaml', '.json')
         else:
             treeconf_content = json.load(f)
diff --git a/tests/test_ostree_script.py b/tests/test_ostree_script.py
index 920ed2da..9aa569a3 100644
--- a/tests/test_ostree_script.py
+++ b/tests/test_ostree_script.py
@@ -165,7 +165,7 @@ class OstreeTreeScriptTest(helpers.PungiTestCase):
 
         with open(treefile, 'r') as f:
             # Read initial content from YAML file
-            treefile_content = yaml.load(f)
+            treefile_content = yaml.safe_load(f)
         original_repos = treefile_content['repos']
         original_ref = treefile_content['ref']
         replacing_ref = original_ref + '-changed'