-
Notifications
You must be signed in to change notification settings - Fork 518
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PyYAML 4.1 changes "safe" in more ways than immediately obvious #187
Comments
Here's a gist which demonstrates the different behaviors: https://gist.github.com/cdent/130181f02f7cb2737f81fef2ebffc8d3 |
To clarify the issues here there are basically two separate problems:
|
This is a problem for me as well
danger load works for python objects, but not for custom tags
|
So I have been experimenting a bit with PythonLoader to adress the first issue, @ingydotnet joined. To make this work with the current code, one would need to set the loader explicitly. @cdent, I took your gist, and if I change it like this, everything works like expected:
Working on |
I wrote up an example of the different behaviour of
|
PyYAML 5.1 is released now. https://pypi.org/project/PyYAML/5.1/ See https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation for safety details. |
Patch Set 1: Code-Review-1 There are some other issues with 4.x as well, see yaml/pyyaml#187 So I reckon we need to hold on this for at least a while. Patch-set: 1 Reviewer: Gerrit User 11564 <11564@4a232e18-c5a9-48ee-94c0-e04e7cca6543> Label: Code-Review=-1
It's clear from the changelog that pyyaml 4.x now defaults to a style of safe_load for loading. This is probably good. However, it also appears that the definition of "safe" has changed somewhat.
In cdent/gabbi#252 the 'safe' related tests work differently depending on whether >4 or <4 is used. As currently written they pass with 4 and fail with 3. The difference seems to be that "safe" in 3 and 4 mean different things:
python/object
, and unsafe will not load custom tags, but will loadpython/object
python/object
, neither in safeThe branch on that pull request can demonstrate the problem with different PyYAML versions. And master in the same repo will as well.
However, I have no confidence that I'm parsing what's going on properly at all, so I need to come up with a minimal test case, which I'll try to do real soon, but I first wanted to get this written down in case there is something obviously wrong in either my code or in PyYAML.
I will followup to this with the MTC, ASAP. Sorry for dropping noise like this, but needed to dump state.
The text was updated successfully, but these errors were encountered: