PyYaml?
Andrew Dalke
adalke at mindspring.com
Sat Sep 18 01:02:17 EDT 2004
Chris S. wrote:
> Is there any benefit to Pickle over YAML? Given that Pickle is insecure,
> wouldn't it make more sense to support a secure serialization format,
> one that's even readable to boot, such as YAML? There's even a pure
> Python implementation at www.pyyaml.org
Looking at the PyYaml docs, under "limitations"
] PyYaml converts Python builtin types bidirectionally, and converts
] instances unidirectionally (although with directives eg from_yaml
] and to_yaml it can do this bidirectionally). When YAMLizing an
] instance, PyYaml serializes only its instance data (its '.dict'),
] with no meta-information about which class it came from.
Add support for restoring an arbitrary class and you end
up with exactly the same security problems pickle has.
Also, I'll guess that it doesn't handle Python's new __slots__
since it only mentions __dict__.
Andrew
dalke at dalkescientific.com
More information about the Python-list
mailing list