PyYaml？ [英] PyYaml?

问题描述

Pickle对YAML有什么好处吗？鉴于Pickle是不安全的，

支持安全的序列化格式是不是更有意义，

甚至可以启动，例如YAML ？在 www.pyyaml.org <上有一个纯粹的

Python实现/ a>

Is there any benefit to Pickle over YAML? Given that Pickle is insecure,
wouldn''t it make more sense to support a secure serialization format,
one that''s even readable to boot, such as YAML? There''s even a pure
Python implementation at www.pyyaml.org

推荐答案

Chris S.写道：

Chris S. wrote:

Pickle对YAML有什么好处？鉴于Pickle是不安全的，支持安全的序列化格式是不是更有意义，
甚至可以启动，例如YAML？在 www.pyyaml.org 上有一个纯粹的Python实现

Is there any benefit to Pickle over YAML? Given that Pickle is insecure,
wouldn''t it make more sense to support a secure serialization format,
one that''s even readable to boot, such as YAML? There''s even a pure
Python implementation at www.pyyaml.org

查看PyYaml文档，在局限性下

] PyYaml双向转换Python内置类型，转换为

]实例是单向的（虽然有指令，例如from_yaml

]和to_yaml，它可以双向执行此操作）。当YAMLizing一个

]实例时，PyYaml只序列化它的实例数据（它的''.dict''），

]，没有关于它来自哪个类的元信息。


添加对恢复任意类的支持，然后结束与pickle完全相同的安全问题的
。


另外，我猜它不会处理Python的新__slots__

，因为它只提到__dict__。

Andrew
da***@dalkescientific.com

2004年9月18日星期六04:20:14 +0000，Chris S.写道：

On Sat, 18 Sep 2004 04:20:14 +0000, Chris S. wrote:

Pickle对YAML有什么好处？鉴于Pickle是不安全的，支持安全的序列化格式是不是更有意义，
一个甚至可以启动的，例如YAML？

Is there any benefit to Pickle over YAML? Given that Pickle is insecure,
wouldn''t it make more sense to support a secure serialization format,
one that''s even readable to boot, such as YAML?

任何可以腌制的东西将是不安全的。它的功能是b / b
酸洗，而不是实施，这是不安全的。

Anything that can "pickle" will be insecure. It is the capabilities of
pickling, not the implementation, that is insecure.

Andrew Dalke写道：

Andrew Dalke wrote:

查看PyYaml文档，在局限性下

] PyYaml双向转换Python内置类型，并单向转换
实例（尽管使用指令例如from_yaml
]和to_yaml它可以双向执行此操作。当YAMLizing
]实例时，PyYaml只序列化它的实例数据（它的''.dict''），
]没有关于它来自哪个类的元信息。
添加对恢复任意类的支持，然后以完全相同的pickle安全问题结束
。


我相信那些文档稍微过时了。 PyYaml对类修复的支持有限（至少根据我的经验）。当然，必须将

类定义加载到当前帧中，类似于Pickle的限制。但是，Pickle的小编程语言

允许删除任意文件。对于Yaml来说这是不可能的。

另外，我猜它不会处理Python的新__slots__
因为它只提到__dict __。

Looking at the PyYaml docs, under "limitations"
] PyYaml converts Python builtin types bidirectionally, and converts
] instances unidirectionally (although with directives eg from_yaml
] and to_yaml it can do this bidirectionally). When YAMLizing an
] instance, PyYaml serializes only its instance data (its ''.dict''),
] with no meta-information about which class it came from.

Add support for restoring an arbitrary class and you end
up with exactly the same security problems pickle has.
I believe those docs are slightly out dated. PyYaml does have limited
support for class restoration (at least in my experience). Granted the
class definition must be loaded into the current frame, a similar
limitation of Pickle. However, Pickle''s small programming language
allows for arbitrary file deletion. That would not be possible with Yaml.
Also, I''ll guess that it doesn''t handle Python''s new __slots__
since it only mentions __dict__.

是的。实际上，当前的实现还没有完全处理

子类化/继承。他们已经做了很多，但它仍然是

进展中的工作。

True. In fact, the current implementation doesn''t yet fully handle
subclassing/inheritance. They''ve done a lot, but it''s still a work in
progress.

这篇关于PyYaml？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！