Python Package: django_make_app
Version: Before 0.1.3
Published: Nov. 10 th. 2017
Reported by: Joel
Django_make_app is Define models and fields using YAML and generate app for Django with views, forms, templates etc. An issue was discovered in the
django_make_app package before
0.1.3.Untrusted data passed into the
read_yaml_file function can execute arbitrary python commands resulting in command execution.
1 2 3
At present, manufacturers have not yet related repair patch. It should use
yaml.safe_load to parse yaml file.