[Python-checkins] peps: PEP 446: rephrase the Security Vulnerability section
victor.stinner
python-checkins at python.org
Thu Aug 15 11:40:43 CEST 2013
http://hg.python.org/peps/rev/08f79790ec9b
changeset: 5058:08f79790ec9b
user: Victor Stinner <victor.stinner at gmail.com>
date: Thu Aug 15 11:38:10 2013 +0200
summary:
PEP 446: rephrase the Security Vulnerability section
files:
pep-0446.txt | 22 ++++++++++------------
1 files changed, 10 insertions(+), 12 deletions(-)
diff --git a/pep-0446.txt b/pep-0446.txt
--- a/pep-0446.txt
+++ b/pep-0446.txt
@@ -170,18 +170,11 @@
Security Vulnerability
----------------------
-Leaking file descriptors is also a well known security vulnerability:
-read
-`FIO42-C. Ensure files are properly closed when they are no longer
-needed
-<https://www.securecoding.cert.org/confluence/display/seccode/FIO42-C.+Ensure+files+are+properly+closed+when+they+are+no+longer+needed>`_
-of the CERT.
-
-An untrusted child process can read sensitive data like passwords and
-take control of the parent process though leaked file descriptors. It is
-for example a way to escape from a chroot. With a leaked listening
-socket, a child process can accept new connections to read sensitive
-data.
+Leaking sensitive file handles and file descriptors can lead to security
+vulnerabilities. An untrusted child process can read sensitive data like
+passwords and take control of the parent process though leaked file
+descriptors. With a leaked listening socket, a child process can accept
+new connections to read sensitive data.
Example of vulnerabilities:
@@ -199,6 +192,11 @@
<http://www.openssh.com/txt/portable-keysign-rand-helper.adv>`_
(2011)
+Read also the CERT Secure Coding Standards:
+`FIO42-C. Ensure files are properly closed when they are no longer
+needed
+<https://www.securecoding.cert.org/confluence/display/seccode/FIO42-C.+Ensure+files+are+properly+closed+when+they+are+no+longer+needed>`_.
+
Issues fixed in the subprocess module
-------------------------------------
--
Repository URL: http://hg.python.org/peps
More information about the Python-checkins
mailing list