#31896 closed New feature (wontfix)
Using unsafe PyYAML utils when loading fixtures.
| Reported by: | German Prostakov | Owned by: | nobody |
|---|---|---|---|
| Component: | Core (Serialization) | Version: | 3.1 |
| Severity: | Normal | Keywords: | fixtures |
| Cc: | Aymeric Augustin | Triage Stage: | Unreviewed |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | yes | UI/UX: | no |
Description (last modified by )
Currently, Django uses PyYAML's SafeLoader to load fixtures which prevent to use some advance utils like !!python/object/apply. To create dates related to the current date, for example, and not static dates that you have to update over time so that they aren't too old.
Anyway, there could be many reasons why a developer would want to use such an util in fixtures. And I believe it should be safe to use UnsafeLoader for fixtures since this is certainly a data that developers create themselves.
Opened a PR: https://github.com/django/django/pull/13320
Change History (4)
comment:1 by , 4 years ago
| Description: | modified (diff) |
|---|
comment:2 by , 4 years ago
| Description: | modified (diff) |
|---|
comment:3 by , 4 years ago
| Cc: | added |
|---|---|
| Component: | Core (Management commands) → Core (Serialization) |
| Resolution: | → wontfix |
| Status: | new → closed |
| Summary: | Allow using unsafe PyYAML utils when loading fixtures → Using unsafe PyYAML utils when loading fixtures. |
comment:4 by , 4 years ago
Oh, thanks! I did not think about SERIALIZATION_MODULES, this seems like a better approach indeed!
Note:
See TracTickets
for help on using tickets.
Thanks for this ticket, however we've changed to a safe loader in Django 1.4 (see d71b4309ca3c4c7aafc446404f86499c7366a771) and I don't see a strong reason to revert it. You can always create your own serializer, and add it to the
SERIALIZATION_MODULESsetting if you need to use theUnsafeLoader.