[Python-checkins] peps: PEP 446: rephrase the Security Vulnerability section

[victor.stinner]

http://hg.python.org/peps/rev/08f79790ec9b
changeset:   5058:08f79790ec9b
user:        Victor Stinner <victor.stinner at gmail.com>
date:        Thu Aug 15 11:38:10 2013 +0200
summary:
  PEP 446: rephrase the Security Vulnerability section

files:
  pep-0446.txt |  22 ++++++++++------------
  1 files changed, 10 insertions(+), 12 deletions(-)


diff --git a/pep-0446.txt b/pep-0446.txt
--- a/pep-0446.txt
+++ b/pep-0446.txt
@@ -170,18 +170,11 @@
 Security Vulnerability
 ----------------------
 
-Leaking file descriptors is also a well known security vulnerability:
-read
-`FIO42-C. Ensure files are properly closed when they are no longer
-needed
-<https://www.securecoding.cert.org/confluence/display/seccode/FIO42-C.+Ensure+files+are+properly+closed+when+they+are+no+longer+needed>`_
-of the CERT.
-
-An untrusted child process can read sensitive data like passwords and
-take control of the parent process though leaked file descriptors. It is
-for example a way to escape from a chroot. With a leaked listening
-socket, a child process can accept new connections to read sensitive
-data.
+Leaking sensitive file handles and file descriptors can lead to security
+vulnerabilities. An untrusted child process can read sensitive data like
+passwords and take control of the parent process though leaked file
+descriptors. With a leaked listening socket, a child process can accept
+new connections to read sensitive data.
 
 Example of vulnerabilities:
 
@@ -199,6 +192,11 @@
   <http://www.openssh.com/txt/portable-keysign-rand-helper.adv>`_
   (2011)
 
+Read also the CERT Secure Coding Standards:
+`FIO42-C. Ensure files are properly closed when they are no longer
+needed
+<https://www.securecoding.cert.org/confluence/display/seccode/FIO42-C.+Ensure+files+are+properly+closed+when+they+are+no+longer+needed>`_.
+
 
 Issues fixed in the subprocess module
 -------------------------------------

-- 
Repository URL: http://hg.python.org/peps