[issue15452] Improve the security model for logging listener()

2016-12-31 Thread Vinay Sajip 

Changes by Vinay Sajip :


--
resolution:  -> fixed
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue15452] Improve the security model for logging listener()

2016-09-08 Thread Vinay Sajip 

Vinay Sajip added the comment:

> Can this ticket be closed?

I suppose so - I didn't implement the addition of lookup_eval() to the ast 
module as I thought it might be a slight overkill. Given that the calls to 
eval() from fileConfig() have been there from when logging was added to the 
stdlib, and as this ticket has been quiet since 2012, I suppose there's no real 
concern about the eval() being a security issue. If there is such a concern, 
then my proposal to add lookup_eval() to the ast module should be considered 
(it didn't get any review comments when I proposed it).

--
status: pending -> open

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue15452] Improve the security model for logging listener()

2016-09-08 Thread Christian Heimes 

Christian Heimes added the comment:

Can this ticket be closed?

--
nosy: +christian.heimes
status: open -> pending

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue15452] Improve the security model for logging listener()

2014-03-10 Thread Roundup Robot 

Roundup Robot added the comment:

New changeset fe1804387687 by R David Murray in branch 'default':
whatsnew: logging.config.listen *verify* (#15452).
http://hg.python.org/cpython/rev/fe1804387687

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue15452
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue15452] Improve the security model for logging listener()

2013-12-28 Thread Vinay Sajip 

Changes by Vinay Sajip vinay_sa...@yahoo.co.uk:


--
versions: +Python 3.5 -Python 3.4

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue15452
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue15452] Improve the security model for logging listener()

2012-10-11 Thread Vinay Sajip 

Changes by Vinay Sajip vinay_sa...@yahoo.co.uk:


--
hgrepos: +154

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue15452
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue15452] Improve the security model for logging listener()

2012-10-11 Thread Vinay Sajip 

Changes by Vinay Sajip vinay_sa...@yahoo.co.uk:


--
keywords: +patch
Added file: http://bugs.python.org/file27531/3d0ca1e82c46.diff

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue15452
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue15452] Improve the security model for logging listener()

2012-10-02 Thread Roundup Robot 

Roundup Robot added the comment:

New changeset 26c3d170fd56 by Vinay Sajip in branch 'default':
Issue #15452: Added verify option for logging configuration socket listener.
http://hg.python.org/cpython/rev/26c3d170fd56

--
nosy: +python-dev

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue15452
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue15452] Improve the security model for logging listener()

2012-10-02 Thread Vinay Sajip 

Vinay Sajip added the comment:

I've updated logging as discussed in this issue, except for the removal of the 
two calls to eval() in logging.config. I propose to resolve that as follows:

1. Add the Evaluator implemented in the Gist I linked to to ast.py.
2. Expose a function 'ast.lookup_eval(source, context, allow_import)' which 
basically just does a

return Evaluator(context, allow_import).evaluate(source, 'lookup_eval')

3. Add docs and tests to ast.rst and test_ast.py.
4. Update logging.config to call ast.lookup_eval() instead of eval().

Please comment if you see any problems with this, otherwise I will go
ahead and implement this change within the next week or so.

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue15452
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue15452] Improve the security model for logging listener()

2012-07-29 Thread Nick Coghlan 

Nick Coghlan added the comment:

Yep, that's exactly the kind of hook I had in mind. That way the user can 
decide for themselves what level of scrutiny they want to apply.

--
title: Eliminate the use of eval() in the logging config implementation - 
Improve the security model for logging listener()

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue15452
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com