From: Vinay Sajip <vinay_sajip@yahoo.co.uk>
Date: Thu, 6 Jan 2022 22:35:08 +0000 (+0000)
Subject: bpo-46251: Add 'Security Considerations' section to logging configura… (GH-30411)
X-Git-Tag: v3.11.0a4~63
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=46c7a6566bca2e974a89c90c35ed1c498d9d3b02;p=thirdparty%2FPython%2Fcpython.git

bpo-46251: Add 'Security Considerations' section to logging configura… (GH-30411)
---

diff --git a/Doc/library/logging.config.rst b/Doc/library/logging.config.rst
index 5a3e686802ea..a1b8dc755ba6 100644
--- a/Doc/library/logging.config.rst
+++ b/Doc/library/logging.config.rst
@@ -191,6 +191,20 @@ in :mod:`logging` itself) and defining handlers which are declared either in
    :func:`listen`.
 
 
+Security considerations
+^^^^^^^^^^^^^^^^^^^^^^^
+
+The logging configuration functionality tries to offer convenience, and in part this
+is done by offering the ability to convert text in configuration files into Python
+objects used in logging configuration - for example, as described in
+:ref:`logging-config-dict-userdef`. However, these same mechanisms (importing
+callables from user-defined modules and calling them with parameters from the
+configuration) could be used to invoke any code you like, and for this reason you
+should treat configuration files from untrusted sources with *extreme caution* and
+satisfy yourself that nothing bad can happen if you load them, before actually loading
+them.
+
+
 .. _logging-config-dictschema:
 
 Configuration dictionary schema