Security Fix for Arbitrary Code Execution - huntr.dev (#1672)

* fixed arbitary code execution * Update train.py * Full to Safe Co-authored-by: Asjid Kalam <asjid.kalam@gmail.com> Co-authored-by: Jamie Slome <jamie@418sec.com> Co-authored-by: Glenn Jocher <glenn.jocher@ultralytics.com>
2021-01-25 17:39:34 +00:00 · 2021-01-25 17:39:34 +00:00 · cf5db95953
commit cf5db95953
parent 9f4e853c60
1 changed files with 3 additions and 3 deletions
--- a/train.py
+++ b/train.py
@ -59,7 +59,7 @@ def train(hyp, opt, device, tb_writer=None, wandb=None):
    cuda = device.type != 'cpu'
    init_seeds(2 + rank)
    with open(opt.data) as f:
-        data_dict = yaml.load(f, Loader=yaml.FullLoader)  # data dict
+        data_dict = yaml.load(f, Loader=yaml.SafeLoader)  # data dict
    with torch_distributed_zero_first(rank):
        check_dataset(data_dict)  # check
    train_path = data_dict['train']
@ -476,7 +476,7 @@ if __name__ == '__main__':
        assert os.path.isfile(ckpt), 'ERROR: --resume checkpoint does not exist'
        apriori = opt.global_rank, opt.local_rank
        with open(Path(ckpt).parent.parent / 'opt.yaml') as f:
-            opt = argparse.Namespace(**yaml.load(f, Loader=yaml.FullLoader))  # replace
+            opt = argparse.Namespace(**yaml.load(f, Loader=yaml.SafeLoader))  # replace
        opt.cfg, opt.weights, opt.resume, opt.global_rank, opt.local_rank = '', ckpt, True, *apriori  # reinstate
        logger.info('Resuming training from %s' % ckpt)
    else:
@ -500,7 +500,7 @@ if __name__ == '__main__':

    # Hyperparameters
    with open(opt.hyp) as f:
-        hyp = yaml.load(f, Loader=yaml.FullLoader)  # load hyps
+        hyp = yaml.load(f, Loader=yaml.SafeLoader)  # load hyps

    # Train
    logger.info(opt)