XML Considered Harmful
Chris Angelico
rosuav at gmail.com
Thu Sep 23 23:11:48 EDT 2021
On Fri, Sep 24, 2021 at 12:22 PM Stefan Ram <ram at zedat.fu-berlin.de> wrote:
>
> dn <PythonList at DancesWithMice.info> writes:
> >With that, why not code it as Python expressions, and include the module?
>
> This might create a code execution vulnerability if such
> files are exchanged between multiple parties.
>
> If code execution vulnerabilities and human-readability are
> not an issue, then one could also think about using pickle.
>
> If one ignores security concerns for a moment, serialization into
> a text format and subsequent deserialization can be a easy as:
>
> |>>> eval( str( [1, (2, 3)] ))
> |[1, (2, 3)]
>
One good hybrid is to take a subset of Python syntax (so it still
looks like a Python script for syntax highlighting etc), and then
parse that yourself, using the ast module. For instance, you can strip
out comments, then look for "VARNAME = ...", and parse the value using
ast.literal_eval(), which will give you a fairly flexible file format
that's still quite safe.
ChrisA
More information about the Python-list
mailing list