What YAML engine do you use?

Fredrik Lundh fredrik at pythonware.com
Sat Jan 22 17:13:50 EST 2005

Alex Martelli wrote:

>>    [1, 2, 'Joe Smith', 8237972883334L,   # comment
>>       {'Favorite fruits': ['apple', 'banana', 'pear']},  # another comment
>>       'xyzzy', [3, 5, [3.14159, 2.71828, []]]]
>> I don't see what YAML accomplishes that something like the above wouldn't.
>> Note that all the values in the above have to be constant literals.
>> Don't suggest using eval.  That would be a huge security hole.
> I do like the idea of a parser that's restricted to "safe expressions"
> in this way.  Once the AST branch merge is done, it seems to me that
> implementing it should be a reasonably simple exercise, at least at a
> "toy level".

for slightly more interop, you could plug in a modified tokenizer, and use


> I wonder, however, if, as an even "toyer" exercise, one might not
> already do it easily -- by first checking each token (as generated by
> tokenize.generate_tokens) to ensure it's safe, and THEN eval _iff_ no
> unsafe tokens were found in the check.  Accepting just square brackets,
> braces, commas, constant strings and numbers, and comments, should be
> pretty safe -- we'd no doubt want to also accept minus (for unary
> minus), plus (to make complex numbers), and specifically None, True,
> False

or you could use a RE to make sure the string only contains safe literals,
and pass the result to eval.

> but that, it appears to me, still leaves little margin for an attacker to prepare
> an evil string that does bad things when eval'd...

besides running out of parsing time or object memory, of course.  unless
you check the size before/during the parse.


More information about the Python-list mailing list