PyYaml?

[Chris S.]

Andrew Dalke wrote:

> Looking at the PyYaml docs, under "limitations"
> 
> 
> ] PyYaml converts Python builtin types bidirectionally, and converts
> ] instances unidirectionally (although with directives eg from_yaml
> ] and to_yaml it can do this bidirectionally). When YAMLizing an
> ] instance, PyYaml serializes only its instance data (its '.dict'),
> ] with no meta-information about which class it came from.
> 
> Add support for restoring an arbitrary class and you end
> up with exactly the same security problems pickle has.

I believe those docs are slightly out dated. PyYaml does have limited 
support for class restoration (at least in my experience). Granted the 
class definition must be loaded into the current frame, a similar 
limitation of Pickle. However, Pickle's small programming language 
allows for arbitrary file deletion. That would not be possible with Yaml.

> Also, I'll guess that it doesn't handle Python's new __slots__
> since it only mentions __dict__.

True. In fact, the current implementation doesn't yet fully handle 
subclassing/inheritance. They've done a lot, but it's still a work in 
progress.