This page explains the PyYAML 5.1 deprecation of the plain
yaml.load(input)
function. See Footnotes.Jul 6, 2017 - ruamel.yaml is a YAML parser/emitter that supports roundtrip preservation of comments, seq/map flow style, and map key order. From ruamel.yaml import YAML #To create YAML File and Read YAML File. Inpfo = open('data.yml').read ## Read the Yaml File.
Use of PyYAML's
yaml.load
function without specifying the Loader=...
parameter, has been deprecated.In PyYAML version 5.1, you will get a warning, but the function will still work. See How to Disable the Warning below.Before PyYAML 5.1, the
PyYAML.load
function could be easily exploited to call any Python function. That means it could call any system command using os.system()
. Here is a trivial example:Why is this deprecated?
PyYAML's
load
function has been unsafe since the first release in May 2006. It has always been documented that way in bold type: PyYAMLDocumentation. PyYAML has always provided a safe_load
function that can load a subset of YAML without exploit.Last year a CVE was filed against PyYAML because it was capable of being exploited on untrusted input using the
load
function, even though PyYAML was intentionally designed and documented to work that way from the start. The CVE seems to suggest that load
should use safe_load
by default. Since safe_load
only handles a subset of YAML, and PyYAML has been a very popular Python package for over a decade, this change is not feasible.YAML is cross-programming language, data serialization language. PyYAML is an implementation of YAML that provides human friendly (plain text) data serialization for Python. Pickle is Python's native (binary) data serialization format. Pickle is also unsafe, and documented loudly as such. The author of PyYAML intentionally made it Pickle compatible.
Since
load
cannot break backwards compatability to call safe_load
, the maintainers of PyYAML decided to simply deprecate the plain usage of load
, and require that the user intentionally declare the Loader they desired. There are 4 loaders to choose from. See Below...The
load
function was also made much safer by disallowing the execution of arbitrary functions by the default loader (FullLoader).How to Disable the Warning
If you are simply using Python software that issues the 'load() deprecation' warning, you should notify the authors of that software about it, so they can make and release the proper adjustments. One way to control/disable the warning is with the
PYTHONWARNINGS
environment variable:You can read more about
PYTHONWARNINGS
here.If you are the author/maintainer of the Python code that is triggering the warning, the best way to stop getting the warning is to specify the
Loader=
argument like so:![Edit yaml in python pdf Edit yaml in python pdf](https://files.realpython.com/media/emacs-elpy-execute.7223a078e15c.png)
The current Loader choices are:
BaseLoader
Only loads the most basic YAMLSafeLoader
Loads a subset of the YAML language, safely. This is recommended for loading untrusted input.FullLoader
Loads the full YAML language. Avoids arbitrary code execution. This is currently (PyYAML 5.1) the default loader called byyaml.load(input)
(after issuing the warning).UnsafeLoader
(also calledLoader
for backwards compatability)The original Loader code that could be easily exploitable by untrusted data input.
You may also use one of the shortcut 'sugar' methods:
yaml.safe_load
yaml.full_load
yaml.unsafe_load
If you are the author/maintainer of software that uses third party modules that trigger this warning, first make sure that their usage is safe for your application. Make sure they are aware of the warning. Then you can 'globally' disable the warning with:
Footnotes
This page will be kept up to date with the latest information about the
load()
deprecation, usage and warnings.The warning messages point to https://msg.pyyaml.org/load, which in turn should redirect you to here.