[issue36022] [Security] logging.config should not use eval()
STINNER Victor
report at bugs.python.org
Mon Feb 18 06:33:49 EST 2019
STINNER Victor <vstinner at redhat.com> added the comment:
The issue has been reported by Alexandre D'Hondt to th PSRT.
I only selected Python 3.8 version, since currently, logging.config explicitly *documents* that eval() is used. Example:
https://docs.python.org/3/library/logging.config.html#logging.config.listen
This issue is not a security vulnerability: you shouldn't let your users modify your logging configuration.
Alex Gaynor asked: "Does anyone know whether the logging config is considered to be equally privileged to the code using it or not?"
Paul McMillan wrote: "This does not qualify for a CVE. Allowing someone else to configure your logging endpoints would result in significant harm to your app in any language. For instance, in many applications you could turn the log level to debug, and then capture things like database credentials. Additionally, this behavior is extremely clearly documented with a callout warning, and is thus expected behavior."
(Quotes from private PSRT list.)
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue36022>
_______________________________________
More information about the Python-bugs-list
mailing list