dev-ros/rosparam: fix yaml.load usage

Bug: https://bugs.gentoo.org/698668
Package-Manager: Portage-2.3.81, Repoman-2.3.20
Signed-off-by: Alexis Ballier <aballier@gentoo.org>

2 files changed, 23 insertions, 0 deletions

diff --git a/dev-ros/rosparam/files/yaml.patch b/dev-ros/rosparam/files/yaml.patch
new file mode 100644
index 000000000000..a4ed42758f13
--- /dev/null
+++ b/dev-ros/rosparam/files/yaml.patch
@@ -0,0 +1,22 @@
+From 481ad19689561052afde658ab0c54c91b0e5e04a Mon Sep 17 00:00:00 2001
+From: Maxime St-Pierre <me@maximest-pierre.me>
+Date: Sun, 10 Nov 2019 06:27:40 -0500
+Subject: [PATCH] Fix #1833 change unsafe yaml.load to yaml.safe_load
+
+---
+ tools/rosparam/src/rosparam/__init__.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/rosparam/src/rosparam/__init__.py b/tools/rosparam/src/rosparam/__init__.py
+index 3279ab97d..fd8b0569f 100644
+--- a/tools/rosparam/src/rosparam/__init__.py
++++ b/tools/rosparam/src/rosparam/__init__.py
+@@ -368,7 +368,7 @@ def set_param(param, value, verbose=False):
+     :param param: parameter name, ``str``
+     :param value: yaml-encoded value, ``str``
+     """
+-    set_param_raw(param, yaml.load(value), verbose=verbose)
++    set_param_raw(param, yaml.safe_load(value), verbose=verbose)
+ 
+ def upload_params(ns, values, verbose=False):
+     """
diff --git a/dev-ros/rosparam/rosparam-1.14.3.ebuild b/dev-ros/rosparam/rosparam-1.14.3-r1.ebuild
index bdb18d0b8521..01c504f690f3 100644
--- a/dev-ros/rosparam/rosparam-1.14.3.ebuild
+++ b/dev-ros/rosparam/rosparam-1.14.3-r1.ebuild
@@ -20,3 +20,4 @@ RDEPEND="
 	dev-python/pyyaml[${PYTHON_USEDEP}]
 "
 DEPEND="${RDEPEND}"
+PATCHES=( "${FILESDIR}/yaml.patch" )