Clark C. Evans cce at
Mon Sep 20 23:42:55 CEST 2004

On Mon, Sep 20, 2004 at 10:02:49PM +0100, Paul Moore wrote:
| > Serialization security seems generally assigned as a responsibility
| > of the user, who is usually in the best position to gage their
| > data's effects. The best a serialization format can do is ensure
| > data reconstruction within the bounds described by the user.
| As I say, most of this should be in the YAML documentation. I'll be
| charitable and assume that it's just something that hasn't been
| written up yet, but that section in the spec that I quoted looks
| pretty explicit in its vagueness :-)

Indeed.  I'd go so far to say it's a blind spot; or, probably more
accurately, something that we have not had time to seriously
address. I think some of the changes with how implicit typing is
specified should help in this regard -- it punts much of the
security issues to the application.  If the Application wishes to
use a lazy-approach (and hence insecure) to mapping tags to native
object implementations, then it should be explicitly requested by
the Application. The other faults in PyYaml, as diligently pointed
out by Andrew, are implementation faults and not directly
attributable to YAML itself.


More information about the Python-list mailing list