subject:"\[issue36022\] \[Security\] logging.config should not use eval\(\)"

[issue36022] [Security] logging.config should not use eval()

2019-05-06 Thread Logan Jones



Logan Jones  added the comment:

I'd like to work on this during the Pycon sprints

--
nosy: +loganasherjones

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36022] [Security] logging.config should not use eval()

2019-02-18 Thread Carol Willing



Carol Willing  added the comment:

Assigning this to @Mariatta, to be worked on the mentored sprint at PyCon US 
Cleveland.

--
assignee:  -> Mariatta
nosy: +Mariatta, willingc

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36022] [Security] logging.config should not use eval()

2019-02-18 Thread Karthikeyan Singaravelan



Karthikeyan Singaravelan  added the comment:

Some discussion in issue15452 about using ast.literal_eval instead of eval 
which I think is the similar to this report.

--
nosy: +xtreak

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36022] [Security] logging.config should not use eval()

2019-02-18 Thread STINNER Victor



STINNER Victor  added the comment:

The issue has been reported by Alexandre D'Hondt to th PSRT.

I only selected Python 3.8 version, since currently, logging.config explicitly 
*documents* that eval() is used. Example:

https://docs.python.org/3/library/logging.config.html#logging.config.listen

This issue is not a security vulnerability: you shouldn't let your users modify 
your logging configuration.

Alex Gaynor asked: "Does anyone know whether the logging config is considered 
to be equally privileged to the code using it or not?"

Paul McMillan wrote: "This does not qualify for a CVE. Allowing someone else to 
configure your logging endpoints would result in significant harm to your app 
in any language. For instance, in many applications you could turn the log 
level to debug, and then capture things like database credentials. 
Additionally, this behavior is extremely clearly documented with a callout 
warning, and is thus expected behavior."

(Quotes from private PSRT list.)

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36022] [Security] logging.config should not use eval()

2019-02-18 Thread STINNER Victor



Change by STINNER Victor :


--
title: logging.config should not use eval() -> [Security] logging.config should 
not use eval()

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36022] [Security] logging.config should not use eval()

[issue36022] [Security] logging.config should not use eval()

[issue36022] [Security] logging.config should not use eval()

[issue36022] [Security] logging.config should not use eval()

[issue36022] [Security] logging.config should not use eval()

5 matches

Site Navigation

Mail list logo

Footer information