Commits

Jesper Nøhr committed 945dbda

not loading unpickler by default, wrapping yaml unpacker with lambda-dict to not return crappy data, as it will otherwise, fixing a testcase with wrong content type

  • Participants
  • Parent commits b225c7b

Comments (0)

Files changed (3)

File piston/emitters.py

 
 if yaml:  # Only register yaml if it was import successfully.
     Emitter.register('yaml', YAMLEmitter, 'application/x-yaml; charset=utf-8')
-    Mimer.register(yaml.load, ('application/x-yaml',))
+    Mimer.register(lambda s: dict(yaml.load(s)), ('application/x-yaml',))
 
 class PickleEmitter(Emitter):
     """
         return pickle.dumps(self.construct())
         
 Emitter.register('pickle', PickleEmitter, 'application/python-pickle')
-Mimer.register(pickle.loads, ('application/python-pickle',))
+
+"""
+WARNING: Accepting arbitrary pickled data is a huge security concern.
+The unpickler has been disabled by default now, and if you want to use
+it, please be aware of what implications it will have.
+
+Read more: http://nadiana.com/python-pickle-insecure
+
+Uncomment the line below to enable it. You're doing so at your own risk.
+"""
+# Mimer.register(pickle.loads, ('application/python-pickle',))
 
 class DjangoEmitter(Emitter):
     """

File piston/utils.py

             for mime in mimes:
                 if ctype.startswith(mime):
                     return loadee
-
+                    
     def content_type(self):
         """
         Returns the content type of the request in all cases where it is
             return None
         
         return ctype
-        
 
     def translate(self):
         """
         if not self.is_multipart() and ctype:
             loadee = self.loader_for_type(ctype)
             
-            try:
-                self.request.data = loadee(self.request.raw_post_data)
-                    
-                # Reset both POST and PUT from request, as its
-                # misleading having their presence around.
-                self.request.POST = self.request.PUT = dict()
-            except (TypeError, ValueError):
-                # This also catches if loadee is None.
-                raise MimerDataException
+            if loadee:
+                try:
+                    self.request.data = loadee(self.request.raw_post_data)
+                        
+                    # Reset both POST and PUT from request, as its
+                    # misleading having their presence around.
+                    self.request.POST = self.request.PUT = dict()
+                except (TypeError, ValueError):
+                    # This also catches if loadee is None.
+                    raise MimerDataException
+            else:
+                self.request.data = None
 
         return self.request
                 

File tests/test_project/apps/testapp/tests.py

         resp = self.client.post('/api/expressive.yaml',
             '  8**sad asj lja foo',
             HTTP_AUTHORIZATION=self.auth_string,
-            content_type='application/yaml')
+            content_type='application/x-yaml')
         self.assertEquals(resp.status_code, 400)
 
 class Issue36RegressionTests(MainTests):