diff --git a/Markdown-3.0.1-pyaml.patch b/Markdown-3.0.1-pyaml.patch new file mode 100644 index 0000000..b7bb329 --- /dev/null +++ b/Markdown-3.0.1-pyaml.patch @@ -0,0 +1,49 @@ +From 0b8d39920a0415f4b5149a4ee6d9b05455683cf7 Mon Sep 17 00:00:00 2001 +From: Waylan Limberg +Date: Thu, 14 Mar 2019 09:17:31 -0400 +Subject: [PATCH] Update CLI to support PyYAML 5.1 + +This should avoid any warnings. We use `unsafe_load` because users may +need to pass in actual Python objects. As this is only available from +the CLI, the user has much worse problems if an attacker can use this +as an attach vector. +--- + markdown/__main__.py | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/markdown/__main__.py b/markdown/__main__.py +index 38d08fe..43e486c 100644 +--- a/markdown/__main__.py ++++ b/markdown/__main__.py +@@ -26,9 +26,17 @@ import codecs + import warnings + import markdown + try: +- import yaml ++ # We use `unsafe_load` because users may need to pass in actual Python ++ # objects. As this is only available from the CLI, the user has much ++ # worse problems if an attacker can use this as an attach vector. ++ from yaml import unsafe_load as yaml_load + except ImportError: # pragma: no cover +- import json as yaml ++ try: ++ # Fall back to PyYAML <5.1 ++ from yaml import load as yaml_load ++ except ImportError: ++ # Fall back to JSON ++ from json import load as yaml_load + + import logging + from logging import DEBUG, WARNING, CRITICAL +@@ -97,7 +105,7 @@ def parse_options(args=None, values=None): + options.configfile, mode="r", encoding=options.encoding + ) as fp: + try: +- extension_configs = yaml.load(fp) ++ extension_configs = yaml_load(fp) + except Exception as e: + message = "Failed parsing extension config file: %s" % \ + options.configfile +-- +2.20.1 +