Change eval(cookies) to json.loads(cookies)

This fixes an RCE vulnerability in the cookie handling. If you rely on an attacker not being able to set cookies for security, you're going to have a bad time. Also, eval(cookies) will choke on valid JSON. See http://stackoverflow.com/a/1083302
12 years ago · ba2544a9d7
1 changed files with 4 additions and 4 deletions
--- a/usage/views.py
+++ b/usage/views.py
@ -244,7 +244,7 @@ def memusage(request):
    if not cookies:
        datasets.append(0)
    else:
-        datasets = eval(cookies)
+        datasets = json.loads(cookies)
    if len(datasets) > 10:
        while datasets:
            del datasets[0]
@ -303,7 +303,7 @@ def loadaverage(request):
    if not cookies:
        datasets.append(0)
    else:
-        datasets = eval(cookies)
+        datasets = json.loads(cookies)
    if len(datasets) > 10:
        while datasets:
            del datasets[0]
@ -375,7 +375,7 @@ def gettraffic(request):
        datasets_out.append(0)
        datasets_out_o.append(0)
    else:
-        datasets = eval(cookies)
+        datasets = json.loads(cookies)
        datasets_in = datasets[0]
        datasets_out = datasets[1]
 	datasets_in_i = datasets[2]
@ -498,7 +498,7 @@ def getdiskio(request):
        datasets_out.append(0)
        datasets_out_o.append(0)
    else:
-        datasets = eval(cookies)
+        datasets = json.loads(cookies)
        datasets_in = datasets[0]
        datasets_out = datasets[1]
 	datasets_in_i = datasets[2]