问题描述
大约 5 小时前,4.1.0 版本发布.它打破了我的单元测试.这是一个干净的 MVCE 显示:
About 5 hours ago, version 4.1.0 was released. It is breaking my unit tests. Here is a clean MVCE displaying this:
3.12 版:
>>> import numpy as np >>> import yaml >>> x = np.int64(2) >>> yaml.dump(x, Dumper=yaml.Dumper) '!!python/object/apply:numpy.core.multiarray.scalar - !!python/object/apply:numpy.dtype args: [i8, 0, 1] state: !!python/tuple [3, <, null, null, null, -1, -1, 0] - !!binary | AgAAAAAAAAA= '
4.1.0 版:
>>> import numpy as np >>> import yaml >>> x = np.int64(2) >>> yaml.dump(x, Dumper=yaml.Dumper) Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/foo/anaconda3/envs/bar/lib/python3.6/site-packages/yaml/__init__.py", line 217, in dump return dump_all([data], stream, Dumper=Dumper, **kwds) File "/foo/anaconda3/envs/bar/lib/python3.6/site-packages/yaml/__init__.py", line 196, in dump_all dumper.represent(data) File "/foo/anaconda3/envs/bar/lib/python3.6/site-packages/yaml/representer.py", line 26, in represent node = self.represent_data(data) File "/foo/anaconda3/envs/bar/lib/python3.6/site-packages/yaml/representer.py", line 57, in represent_data node = self.yaml_representers[None](self, data) File "/foo/anaconda3/envs/bar/lib/python3.6/site-packages/yaml/representer.py", line 229, in represent_undefined raise RepresenterError("cannot represent an object", data) yaml.representer.RepresenterError: ('cannot represent an object', 2)
PyYAML 不再支持这些对象类型有明确的原因吗?
Is there a clear reason for why PyYAML no longer supports these object types?
推荐答案
在 PyYAML 4.x 中,dump 是 safe_dump 的别名,不会处理任意对象:
In PyYAML 4.x, dump is an alias for safe_dump, which won't handle arbitrary objects:
>>> yaml.dump is yaml.safe_dump True
对旧的 3.x 行为使用 danger_dump.
Use danger_dump for the old 3.x behaviour.
>>> yaml.danger_dump(x) '!!python/object/apply:numpy.core.multiarray.scalar - !!python/object/apply:numpy.dtype args: [i8, 0, 1] state: !!python/tuple [3, <, null, null, null, -1, -1, 0] - !!binary | AgAAAAAAAAA= '
load/safe_load 也是如此.找不到 4.1.0 的任何文档或发行说明,我只是通过挖掘提交才发现的 (这里).
The same goes for load/safe_load. Can't find any docs or release notes for 4.1.0, I only found out by digging through the commits (here).
PyYAML 不再支持这些对象类型有明确的原因吗?
Is there a clear reason for why PyYAML no longer supports these object types?
是的.yaml.load 允许任意代码执行,而这种危险的功能只能选择加入,不能意外使用.可以说,从一开始就应该是这样的.
Yes. yaml.load was allowing arbitrary code execution, and such a dangerous feature should be opt-in only, not possible to use by accident. Arguably, it should have been this way from the beginning.
在当前的 PyYAML 5.x 中:您可以指定 loader/dumper 类作为参数,而不是使用不同的函数:
In current PyYAML 5.x: instead of using different functions, you can specify the loader/dumper class as an argument:
yaml.dump(x, Dumper=yaml.Dumper) # like "danger dump" yaml.dump(x, Dumper=yaml.SafeDumper) # like "safe_dump", won't dump python objs
与 3.x 一样,危险"dump 仍然是 5.x 中的默认值:
As with 3.x, the "danger" dump is still the default in 5.x:
>>> yaml.dump(sys) "!!python/module:sys '' " >>> yaml.dump(sys, Dumper=yaml.SafeDumper) RepresenterError: ('cannot represent an object', <module 'sys' (built-in)>)