john at castleamber.com
Thu Feb 4 22:18:53 CET 2010
Steven D'Aprano <steve at REMOVE-THIS-cybersource.com.au> writes:
> However, be aware that neither marshal nor pickle guarantees to be safe
> against malicious data either. The docs for both warn against using them
> on untrusted data. YAML or JSON *might* be safer, I haven't looked.
Regarding malicious data, from the Loading YAML section of PyYAML:
Warning: It is not safe to call yaml.load with any data received from
an untrusted source! yaml.load is as powerful as pickle.load and so
may call any Python function. Check the yaml.safe_load function
yaml.safe_load however, limits to simple Python objects and Python
objects you mark as safe.
John Bokma j3b
Hacking & Hiking in Mexico - http://johnbokma.com/
http://castleamber.com/ - Perl & Python Development
More information about the Python-list