Bug 1469999 - Use yaml.safe_load() for loading shaders manifest; r=chmanchester

yaml.load() isn't safe and can lead to arbitrary code execution for untrusted input. While probably not an issue here, I'm trying to rid the tree of all yaml.load() instances so we can add a lint to ban its usage. Differential Revision: https://phabricator.services.mozilla.com/D1739 --HG-- extra : rebase_source : 4db69cde270b71335218b40d7b662c170854a6aa extra : histedit_source : a740d99092c345ec8c6fcdb028498798c103b6a5
2018-06-20 14:32:46 -07:00 · 2018-06-20 14:32:46 -07:00 · d82ec22992
--- a/gfx/layers/d3d11/genshaders.py
+++ b/gfx/layers/d3d11/genshaders.py
@ -38,7 +38,7 @@ FOOTER = """

 def process_manifest(output_fp, manifest_filename):
  with codecs.open(manifest_filename, 'r', 'UTF-8') as in_fp:
-    manifest = yaml.load(in_fp)
+    manifest = yaml.safe_load(in_fp)
  shader_folder, _ = os.path.split(manifest_filename)

  output_fp.write(HEADER)