[Python-checkins] [3.10] bpo-46251: Add 'Security Considerations' section to logging configura… (GH-30411) (GH-30447)
vsajip
webhook-mailer at python.org
Thu Jan 6 18:18:47 EST 2022
https://github.com/python/cpython/commit/db60ed1170a02189a4fd4b7574e0722dd22c658b
commit: db60ed1170a02189a4fd4b7574e0722dd22c658b
branch: 3.10
author: Miss Islington (bot) <31488909+miss-islington at users.noreply.github.com>
committer: vsajip <vinay_sajip at yahoo.co.uk>
date: 2022-01-06T23:18:41Z
summary:
[3.10] bpo-46251: Add 'Security Considerations' section to logging configura… (GH-30411) (GH-30447)
files:
M Doc/library/logging.config.rst
diff --git a/Doc/library/logging.config.rst b/Doc/library/logging.config.rst
index 5a3e686802ea8..a1b8dc755ba6b 100644
--- a/Doc/library/logging.config.rst
+++ b/Doc/library/logging.config.rst
@@ -191,6 +191,20 @@ in :mod:`logging` itself) and defining handlers which are declared either in
:func:`listen`.
+Security considerations
+^^^^^^^^^^^^^^^^^^^^^^^
+
+The logging configuration functionality tries to offer convenience, and in part this
+is done by offering the ability to convert text in configuration files into Python
+objects used in logging configuration - for example, as described in
+:ref:`logging-config-dict-userdef`. However, these same mechanisms (importing
+callables from user-defined modules and calling them with parameters from the
+configuration) could be used to invoke any code you like, and for this reason you
+should treat configuration files from untrusted sources with *extreme caution* and
+satisfy yourself that nothing bad can happen if you load them, before actually loading
+them.
+
+
.. _logging-config-dictschema:
Configuration dictionary schema
More information about the Python-checkins
mailing list