[3.9] bpo-46251: Add 'Security Considerations' section to logging configura… (GH...

author Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>

Thu, 6 Jan 2022 23:18:18 +0000 (15:18 -0800)

committer GitHub <noreply@github.com>

Thu, 6 Jan 2022 23:18:18 +0000 (23:18 +0000)
author Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Thu, 6 Jan 2022 23:18:18 +0000 (15:18 -0800)
committer GitHub <noreply@github.com>
Thu, 6 Jan 2022 23:18:18 +0000 (23:18 +0000)
diff --git a/Doc/library/logging.config.rst b/Doc/library/logging.config.rst

index d4dc585351bab3d14d5d02e0e13418918acc6ae8..afc32e64bc7988d83114c41024b17fc9a9450a8c 100644 (file)
--- a/Doc/library/logging.config.rst
+++ b/Doc/library/logging.config.rst
@@ -186,6 +186,20 @@ in :mod:`logging` itself) and defining handlers which are declared either in
     :func:`listen`.
  
  
+Security considerations
+^^^^^^^^^^^^^^^^^^^^^^^
+
+The logging configuration functionality tries to offer convenience, and in part this
+is done by offering the ability to convert text in configuration files into Python
+objects used in logging configuration - for example, as described in
+:ref:`logging-config-dict-userdef`. However, these same mechanisms (importing
+callables from user-defined modules and calling them with parameters from the
+configuration) could be used to invoke any code you like, and for this reason you
+should treat configuration files from untrusted sources with *extreme caution* and
+satisfy yourself that nothing bad can happen if you load them, before actually loading
+them.
+
+
  .. _logging-config-dictschema:
  
  Configuration dictionary schema
author	Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
	Thu, 6 Jan 2022 23:18:18 +0000 (15:18 -0800)
committer	GitHub <noreply@github.com>
	Thu, 6 Jan 2022 23:18:18 +0000 (23:18 +0000)