PyYaml?
Clark C. Evans
cce at clarkevans.com
Mon Sep 20 17:42:55 EDT 2004
More information about the Python-list mailing list
Mon Sep 20 17:42:55 EDT 2004
- Previous message (by thread): PyYaml?
- Next message (by thread): PyYaml?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Mon, Sep 20, 2004 at 10:02:49PM +0100, Paul Moore wrote: | > Serialization security seems generally assigned as a responsibility | > of the user, who is usually in the best position to gage their | > data's effects. The best a serialization format can do is ensure | > data reconstruction within the bounds described by the user. | | As I say, most of this should be in the YAML documentation. I'll be | charitable and assume that it's just something that hasn't been | written up yet, but that section in the spec that I quoted looks | pretty explicit in its vagueness :-) Indeed. I'd go so far to say it's a blind spot; or, probably more accurately, something that we have not had time to seriously address. I think some of the changes with how implicit typing is specified should help in this regard -- it punts much of the security issues to the application. If the Application wishes to use a lazy-approach (and hence insecure) to mapping tags to native object implementations, then it should be explicitly requested by the Application. The other faults in PyYaml, as diligently pointed out by Andrew, are implementation faults and not directly attributable to YAML itself. Clark
- Previous message (by thread): PyYaml?
- Next message (by thread): PyYaml?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Python-list mailing list