What YAML engine do you use?
Fredrik Lundh
fredrik at pythonware.com
Sat Jan 22 17:13:50 EST 2005
Alex Martelli wrote:
>> [1, 2, 'Joe Smith', 8237972883334L, # comment
>> {'Favorite fruits': ['apple', 'banana', 'pear']}, # another comment
>> 'xyzzy', [3, 5, [3.14159, 2.71828, []]]]
>>
>> I don't see what YAML accomplishes that something like the above wouldn't.
>>
>> Note that all the values in the above have to be constant literals.
>> Don't suggest using eval. That would be a huge security hole.
>
> I do like the idea of a parser that's restricted to "safe expressions"
> in this way. Once the AST branch merge is done, it seems to me that
> implementing it should be a reasonably simple exercise, at least at a
> "toy level".
for slightly more interop, you could plug in a modified tokenizer, and use
JSON:
http://www.crockford.com/JSON/xml.html
> I wonder, however, if, as an even "toyer" exercise, one might not
> already do it easily -- by first checking each token (as generated by
> tokenize.generate_tokens) to ensure it's safe, and THEN eval _iff_ no
> unsafe tokens were found in the check. Accepting just square brackets,
> braces, commas, constant strings and numbers, and comments, should be
> pretty safe -- we'd no doubt want to also accept minus (for unary
> minus), plus (to make complex numbers), and specifically None, True,
> False
or you could use a RE to make sure the string only contains safe literals,
and pass the result to eval.
> but that, it appears to me, still leaves little margin for an attacker to prepare
> an evil string that does bad things when eval'd...
besides running out of parsing time or object memory, of course. unless
you check the size before/during the parse.
</F>
More information about the Python-list
mailing list