[issue46251] logger.config.configure_formatter executes arbitrary code

[Vinay Sajip]

Vinay Sajip <vinay_sajip at yahoo.co.uk> added the comment:

> "Dont load untrusted config files" is the answer I expected.

Yes. It's the usual convenience vs. security trade-off. To make configuration convenient, configurable factories with configurable parameters are provided. Can this be misused? Of course.

Digital signing has its place where auditability and accountability are important, but it would normally only be used in production where configuration changes are subject to a strict process with signoffs. 

There could definitely be stronger warnings in the documentation about trust and configurations.

> Is it reasonable to say that all classes  by _resolve() and resolve() should have "logger." at the top of them? If not perhaps the object could have a permitted list of top level packages that defaults to just "logger." but could be extended to others by the developer.

I would think that's going too far, and perhaps it only moves the problem. In any case, dictConfig has a mechanism using the "()" key which allows any callable, not just a class. This is for a not uncommon use case where the callable is a function that returns a logging object (handler/formatter/filter) that has been tweaked in some way. But that feature can of course also be used with untrusted inputs to produce surprises.

----------

_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue46251>
_______________________________________