From 6e6a36944e5f1e20fc11d0092316af8cc65e7801 Mon Sep 17 00:00:00 2001
From: zhuzeyu <zhu.zeyu@zte.com.cn>
Date: Wed, 8 Feb 2017 12:02:46 +0800
Subject: [PATCH] Using yaml.safe_load instead of yaml.load

It is not safe to call yaml.load with any data received from
an untrusted source, we'd better use yaml.safe_load

Reference:
https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html

Change-Id: Ic8bf73bf0f2e2c29eb48094367cf558483be1267
---
 ansible/action_plugins/merge_yaml.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ansible/action_plugins/merge_yaml.py b/ansible/action_plugins/merge_yaml.py
index 34ba7fb8db..2aca22e964 100755
--- a/ansible/action_plugins/merge_yaml.py
+++ b/ansible/action_plugins/merge_yaml.py
@@ -19,7 +19,7 @@ import inspect
 import os
 
 from yaml import dump
-from yaml import load
+from yaml import safe_load
 try:
     from yaml import CDumper as Dumper  # noqa: F401
     from yaml import CLoader as Loader  # noqa: F401
@@ -42,7 +42,7 @@ class ActionModule(action.ActionBase):
             with open(source, 'r') as f:
                 template_data = f.read()
             template_data = self._templar.template(template_data)
-            result = load(template_data)
+            result = safe_load(template_data)
         return result or {}
 
     def run(self, tmp=None, task_vars=None):