From ba2544a9d769f30096c94ae2187aa6da474b79b9 Mon Sep 17 00:00:00 2001
From: Jordan Milne <jordan.milne@saynotolinux.com>
Date: Thu, 27 Feb 2014 15:38:38 -0400
Subject: [PATCH] Change eval(cookies) to json.loads(cookies)

This fixes an RCE vulnerability in the cookie handling. If you rely on an attacker not being able to set cookies for security, you're going to have a bad time.

Also, eval(cookies) will choke on valid JSON. See http://stackoverflow.com/a/1083302
---
 usage/views.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/usage/views.py b/usage/views.py
index 33cdffc..7d896ba 100755
--- a/usage/views.py
+++ b/usage/views.py
@@ -244,7 +244,7 @@ def memusage(request):
     if not cookies:
         datasets.append(0)
     else:
-        datasets = eval(cookies)
+        datasets = json.loads(cookies)
     if len(datasets) > 10:
         while datasets:
             del datasets[0]
@@ -303,7 +303,7 @@ def loadaverage(request):
     if not cookies:
         datasets.append(0)
     else:
-        datasets = eval(cookies)
+        datasets = json.loads(cookies)
     if len(datasets) > 10:
         while datasets:
             del datasets[0]
@@ -375,7 +375,7 @@ def gettraffic(request):
         datasets_out.append(0)
         datasets_out_o.append(0)
     else:
-        datasets = eval(cookies)
+        datasets = json.loads(cookies)
         datasets_in = datasets[0]
         datasets_out = datasets[1]
 	datasets_in_i = datasets[2]
@@ -498,7 +498,7 @@ def getdiskio(request):
         datasets_out.append(0)
         datasets_out_o.append(0)
     else:
-        datasets = eval(cookies)
+        datasets = json.loads(cookies)
         datasets_in = datasets[0]
         datasets_out = datasets[1]
 	datasets_in_i = datasets[2]