修复用户上传文件中的yaml解析漏洞

CHANGES.md

@@ -1,5 +1,10 @@
 ## 版本更新记录
 
+### v0.7.1 2021-09
+
+- [修复]用户上传文件中yaml加载的安全漏洞；
+
+
 ### v0.7.0 2021-08
 
 - [新增]修改文档页面快捷键（Ctrl+S）保存;

MrDoc/settings.py

@@ -40,7 +40,7 @@ SECRET_KEY = '5&71mt9@^58zdg*_!t(x6g14q*@84d%ptr%%s6e0l50zs0we3d'
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = CONFIG.getboolean('site','debug',fallback=False)
 
-VERSIONS = '0.6.9'
+VERSIONS = '0.7.0'
 
 ALLOWED_HOSTS = ['*']
 

app_doc/import_utils.py

@@ -58,7 +58,7 @@ class ImportZipProject():
         # 读取yaml文件
         try:
             with open(os.path.join(self.temp_dir ,'mrdoc.yaml'),'r',encoding='utf-8') as yaml_file:
-                yaml_str = yaml.load(yaml_file.read())
+                yaml_str = yaml.safe_load(yaml_file.read())
                 project_name = yaml_str['project_name'] \
                     if 'project_name' in yaml_str.keys() else zip_file_path[:-4].split('/')[-1]
                 project_desc = yaml_str['project_desc'] if 'project_desc' in yaml_str.keys() else ''