From 188fbdee0d6721a948eabb81cdcacac371614793 Mon Sep 17 00:00:00 2001
From: "Miss Islington (bot)"
 <31488909+miss-islington@users.noreply.github.com>
Date: Thu, 6 Jan 2022 15:18:18 -0800
Subject: [PATCH] =?utf8?q?[3.9]=20bpo-46251:=20Add=20'Security=20Considera?=
 =?utf8?q?tions'=20section=20to=20logging=20configura=E2=80=A6=20(GH-30411?=
 =?utf8?q?)=20(GH-30448)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

---
 Doc/library/logging.config.rst | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/Doc/library/logging.config.rst b/Doc/library/logging.config.rst
index d4dc585351ba..afc32e64bc79 100644
--- a/Doc/library/logging.config.rst
+++ b/Doc/library/logging.config.rst
@@ -186,6 +186,20 @@ in :mod:`logging` itself) and defining handlers which are declared either in
    :func:`listen`.
 
 
+Security considerations
+^^^^^^^^^^^^^^^^^^^^^^^
+
+The logging configuration functionality tries to offer convenience, and in part this
+is done by offering the ability to convert text in configuration files into Python
+objects used in logging configuration - for example, as described in
+:ref:`logging-config-dict-userdef`. However, these same mechanisms (importing
+callables from user-defined modules and calling them with parameters from the
+configuration) could be used to invoke any code you like, and for this reason you
+should treat configuration files from untrusted sources with *extreme caution* and
+satisfy yourself that nothing bad can happen if you load them, before actually loading
+them.
+
+
 .. _logging-config-dictschema:
 
 Configuration dictionary schema
-- 
2.47.3