This might be a bit off-topic. It's about the dangers of yaml.load. Cameron Simpson and Steve D'Aprano wrote
>> So, if an application accepts user-supplied input (such as a JSON payload), >> is that data marked as non-executable? > Unless you've hacked the JSON decoder (I think you can supply a custom > decoder for some things) all you're doing to get back is ints, strs, dicts > and lists. And floats. None of those is executable. It's note the same with YAML. At last year's PyCon UK I went to Rae Knowler's talk about bad defaults. https://2017.pyconuk.org/sessions/keynotes/unsafe-at-any-speed/ https://speakerdeck.com/bellisk/unsafe-at-any-speed-pycon-uk-26th-october-2017 and saw, in a nutshell (slide 21) yaml.load is the obvious function to use but it is dangerous https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html#incorrect Rae's talk also mentioned (slides 19 and 20) Enabling certificate verification by default for stdlib http clients https://www.python.org/dev/peps/pep-0476/ Following Rae, I consider the using name *yaml.load* for the *unsafe* load is already a security flaw! -- Jonathan _______________________________________________ Python-ideas mailing list Python-ideas@python.org https://mail.python.org/mailman/listinfo/python-ideas Code of Conduct: http://python.org/psf/codeofconduct/