* Prevents arbitrary code execution during python/object/new constructor
In FullLoader python/object/new constructor, implemented by
construct_python_object_apply, has support for setting the state of a
deserialized instance through the set_python_instance_state method.
After setting the state, some operations are performed on the instance
to complete its initialization, however it is possible for an attacker
to set the instance' state in such a way that arbitrary code is executed
by the FullLoader.
This patch tries to block such attacks in FullLoader by preventing
set_python_instance_state from setting arbitrary properties. It
implements a blacklist that includes `extend` method (called by
construct_python_object_apply) and all special methods (e.g. __set__,
__setitem__, etc.).
Users who need special attributes being set in the state of a
deserialized object can still do it through the UnsafeLoader, which
however should not be used on untrusted input. Additionally, they can
subclass FullLoader and redefine `get_state_keys_blacklist()` to
extend/replace the list of blacklisted keys, passing the subclassed
loader to yaml.load.
* Make sure python/object/new constructor does not set some properties
* Add test to show how to subclass FullLoader with new blacklist
Hold references to the objects being represented (should fix#22).
The value of a mapping node is represented as a list of pairs `(key, value)`
now.
Sort dictionary items (fix#23).
Recursive structures are now loaded and dumped correctly, including complex
structures like recursive tuples (fix#5). Thanks Peter Murphy for the patches.
To make it possible, representer functions are allowed to be generators.
In this case, the first generated value is an object. Other values produced
by the representer are ignored.
Make Representer not try to guess `!!pairs` when a list is represented.
You need to construct a `!!pairs` node explicitly now.
Do not check for duplicate mapping keys as it didn't work correctly anyway.
The line number is not calculated correctly for DOS-style line breaks.
Fix error reporting in '''remove_possible_simple_key'''. The problem is caused by the document:
{{{
+foo: &A bar
+*A ]
}}}
Raise an error for a complex key which is not indented correctly, for instance:
{{{
? "foo"
: "bar"
}}}
