YAML

John Bokma john at castleamber.com
Thu Feb 4 22:18:53 CET 2010


Steven D'Aprano <steve at REMOVE-THIS-cybersource.com.au> writes:

> However, be aware that neither marshal nor pickle guarantees to be safe 
> against malicious data either. The docs for both warn against using them 
> on untrusted data. YAML or JSON *might* be safer, I haven't looked.

Regarding malicious data, from the Loading YAML section of PyYAML:

   Warning: It is not safe to call yaml.load with any data received from
   an untrusted source! yaml.load is as powerful as pickle.load and so
   may call any Python function. Check the yaml.safe_load function
   though.

http://pyyaml.org/wiki/PyYAMLDocumentation#LoadingYAML

yaml.safe_load however, limits to simple Python objects and Python
objects you mark as safe.

-- 
John Bokma                                                               j3b

Hacking & Hiking in Mexico -  http://johnbokma.com/
http://castleamber.com/ - Perl & Python Development



More information about the Python-list mailing list