如何使用safe_load使用PyYAML反序列化对象？ [英] How to deserialize an object with PyYAML using safe_load?

问题描述

具有如下代码段：

import yaml
class User(object):
    def __init__(self, name, surname):
       self.name= name
       self.surname= surname

user = User('spam', 'eggs')
serialized_user = yaml.dump(user)
#Network
deserialized_user = yaml.load(serialized_user)
print "name: %s, sname: %s" % (deserialized_user.name, deserialized_user.surname)

Yaml文档说，使用从不受信任的来源收到的任何数据调用 yaml.load 是不安全的；因此，我应该如何修改我的代码段类以使用 safe_load 方法？

有可能吗？

Yaml docs says that it is not safe to call yaml.load with any data received from an untrusted source; so, what should I modify to my snippet\class to use safe_load method?
Is it possible?

推荐答案

根据定义，safe_load似乎不允许您反序列化自己的类。如果您希望它是安全的，则可以执行以下操作：

It appears that safe_load, by definition, does not let you deserialize your own classes. If you want it to be safe, I'd do something like this:

import yaml
class User(object):
    def __init__(self, name, surname):
       self.name= name
       self.surname= surname

    def yaml(self):
       return yaml.dump(self.__dict__)

    @staticmethod
    def load(data):
       values = yaml.safe_load(data)
       return User(values["name"], values["surname"])

user = User('spam', 'eggs')
serialized_user = user.yaml()
print "serialized_user:  %s" % serialized_user.strip()

#Network
deserialized_user = User.load(serialized_user)
print "name: %s, sname: %s" % (deserialized_user.name, deserialized_user.surname)

这里的优点是您可以完全控制您的课程已（反）序列化。这意味着您不会通过网络获得随机的可执行代码并运行它。缺点是您可以完全控制类的（反）序列化方式。这意味着您需要做更多的工作。 ;-）

The advantage here is that you have absolute control over how your class is (de)serialized. That means that you won't get random executable code over the network and run it. The disadvantage is that you have absolute control over how your class is (de)serialized. That means you have to do a lot more work. ;-)

这篇关于如何使用safe_load使用PyYAML反序列化对象？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！