John Bokma john at castleamber.com
Thu Feb 4 22:18:53 CET 2010

Steven D'Aprano <steve at REMOVE-THIS-cybersource.com.au> writes:

> However, be aware that neither marshal nor pickle guarantees to be safe 
> against malicious data either. The docs for both warn against using them 
> on untrusted data. YAML or JSON *might* be safer, I haven't looked.

Regarding malicious data, from the Loading YAML section of PyYAML:

   Warning: It is not safe to call yaml.load with any data received from
   an untrusted source! yaml.load is as powerful as pickle.load and so
   may call any Python function. Check the yaml.safe_load function


yaml.safe_load however, limits to simple Python objects and Python
objects you mark as safe.

John Bokma                                                               j3b

Hacking & Hiking in Mexico -  http://johnbokma.com/
http://castleamber.com/ - Perl & Python Development

More information about the Python-list mailing list