What YAML engine do you use?
Alex Martelli
aleaxit at yahoo.com
Sat Jan 22 17:00:35 EST 2005
Paul Rubin <http://phr.cx@NOSPAM.invalid> wrote:
...
> lists. I think it would be great if the Python library exposed an
> interface for parsing constant list and dict expressions, e.g.:
>
> [1, 2, 'Joe Smith', 8237972883334L, # comment
> {'Favorite fruits': ['apple', 'banana', 'pear']}, # another comment
> 'xyzzy', [3, 5, [3.14159, 2.71828, []]]]
>
> I don't see what YAML accomplishes that something like the above wouldn't.
>
> Note that all the values in the above have to be constant literals.
> Don't suggest using eval. That would be a huge security hole.
I do like the idea of a parser that's restricted to "safe expressions"
in this way. Once the AST branch merge is done, it seems to me that
implementing it should be a reasonably simple exercise, at least at a
"toy level".
I wonder, however, if, as an even "toyer" exercise, one might not
already do it easily -- by first checking each token (as generated by
tokenize.generate_tokens) to ensure it's safe, and THEN eval _iff_ no
unsafe tokens were found in the check. Accepting just square brackets,
braces, commas, constant strings and numbers, and comments, should be
pretty safe -- we'd no doubt want to also accept minus (for unary
minus), plus (to make complex numbers), and specifically None, True,
False -- but that, it appears to me, still leaves little margin for an
attacker to prepare an evil string that does bad things when eval'd...
Alex
More information about the Python-list
mailing list