STINNER Victor <vstin...@redhat.com> added the comment:
The issue has been reported by Alexandre D'Hondt to th PSRT. I only selected Python 3.8 version, since currently, logging.config explicitly *documents* that eval() is used. Example: https://docs.python.org/3/library/logging.config.html#logging.config.listen This issue is not a security vulnerability: you shouldn't let your users modify your logging configuration. Alex Gaynor asked: "Does anyone know whether the logging config is considered to be equally privileged to the code using it or not?" Paul McMillan wrote: "This does not qualify for a CVE. Allowing someone else to configure your logging endpoints would result in significant harm to your app in any language. For instance, in many applications you could turn the log level to debug, and then capture things like database credentials. Additionally, this behavior is extremely clearly documented with a callout warning, and is thus expected behavior." (Quotes from private PSRT list.) ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue36022> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
