[CentralOH] YAML versus Python
iynaix
iynaix at gmail.com
Thu Nov 13 03:09:22 CET 2014
Some quick thoughts:
If the data is only written and used by your own program, it doesn't make
much of a difference whether you use Python (as Django does) or YAML.
Obviously if it has to be used in another language or by other tools,
Python is probably not a good option.
You can output Python (deserialize objects) using the pickle module (
https://docs.python.org/2/library/pickle.html), but it can execute
arbitrary code, so do not use it from untrusted sources, which is also very
explicitly stated in the official python docs.
If the data might possibly be from an outside source, I would go with JSON.
YAML is prettier and also a superset of JSON, but some of the more advanced
features of YAML are exploitable. Ruby on Rails had a string of
vulnerabilities last year based off YAML deserialization. (
https://ronin-ruby.github.io/blog/2013/01/09/rails-pocs.html,
https://ronin-ruby.github.io/blog/2013/01/28/new-rails-poc.html). Again, if
the source is trusted, then it shouldn't be too big of an issue.
Cheers,
XY
On Thu, Nov 13, 2014 at 9:19 AM, <jep200404 at columbus.rr.com> wrote:
> I saw some complex data for initial values in an ugly format.
> Someone else saw it and immediately said to use YAML.
>
> I realized that if the configuration data is used only in a
> Python program, then the configuration data could be a Python
> module, and just be imported. So now I'm wondering about YAML
> versus Python. When is YAML more helpful than Python and vice
> versa?
>
> If one needs to use the data in any language other
> than Python, then Python would be inappropriate, because one
> would need a Python parser for some other language, which
> would be rediculous. YAML can be grokked by many languages.
>
> If one needs modify the data by a program,
> then YAML is superior because it's easy to output.
> Importing Python is easy, but I'm not aware of a way to easily
> output Python. print(repr(foo)) could be a part of it,
> but it tends towards long lines which are hard to read.
>
> The references in YAML are interesting.
> It makes me wonder about recursive references in Python.
> I had not though about recursive data structures in Python.
> (I have not needed them yet either.)
>
> Also, as clean as Python is, it has more syntax cruft to wade
> through than YAML. YAML is easier to read.
>
> Golly, I think I've talked myself into YAML.
> What can you add about YAML versus Python for static or
> initializing data?
> _______________________________________________
> CentralOH mailing list
> CentralOH at python.org
> https://mail.python.org/mailman/listinfo/centraloh
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/centraloh/attachments/20141113/35768909/attachment.html>
More information about the CentralOH
mailing list