[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PyYaml not using Yaml 1.2?

Lele Gaifax <lele at metapensiero.it>:

> leam hall <leamhall at gmail.com> writes:
>> Tracked down the GitHub repo (https://github.com/yaml/pyyaml) and it seems
>> to be gearing back up. I'll see what I can do to help.
> See also https://bitbucket.org/ruamel/yaml, a fork of PyYAML, it seems more
> actively maintained and already supports format 1.2.

BTW, happened to land on this blog posting that mentions a security
warning regarding PyYAML:

   A suggested fix is to always use yaml.safe_load for handling YAML
   serialization you can't trust. Still, the current PyYAML default
   feels somewhat provoking considering other serialization libraries
   tend to use dump/load function names for similar purposes, but in a
   safe manner.

   <URL: https://access.redhat.com/blogs/766093/posts/2592591>