Title: Signpost security considerations in library
Type: enhancement Stage: patch review
Components: Documentation Versions:
Status: open Resolution:
Dependencies: Superseder:
Assigned To: docs@python Nosy List: anthonypjshaw, christian.heimes, docs@python, eric.araujo, mdk, willingc
Priority: normal Keywords: patch

Created on 2020-01-30 05:14 by anthonypjshaw, last changed 2020-06-25 05:44 by christian.heimes.

Pull Requests
URL Status Linked Edit
PR 18272 open anthonypjshaw, 2020-01-30 05:15
Messages (6)
msg361009 - (view) Author: anthony shaw (anthonypjshaw) * (Python triager) Date: 2020-01-30 05:14
Within the documentation, there are some really important security considerations for standard library modules. e.g. subprocess, ssl, pickle, xml.

There is currently no "index" of these, so you have to go hunting for them. They're easter eggs within the docs. There isn't a unique admonition type either, so you have to search across many criteria.

In particular for security researchers, it would be useful to consolidate and signpost these security best-practices in one index.

PR to follow,
msg361697 - (view) Author: Julien Palard (mdk) * (Python committer) Date: 2020-02-10 14:18
Asked on gh:

> this is a "security guidance for standard library modules" index?

(I'm not sure to understand the question exactly)

I think it could be usefull from a reviewer point of view to have such index so he can iterate over it and check point by point if the code is OK.

In this case, linking to all notes like "beware, wrong usage of this could lead to security issues" looks what's needed in this index.

Anthony: did you opened the issue with this in mind or any other usages?
msg361746 - (view) Author: Carol Willing (willingc) * (Python committer) Date: 2020-02-10 23:07
I agree that a helpful entry in the index would be a nice addition. Christian would be the person to start with since he probably has ideas what would be useful too.
msg372288 - (view) Author: Éric Araujo (eric.araujo) * (Python committer) Date: 2020-06-24 22:01
I think that we could make this easier with a custom directive that’s rendered into the appropriate markup during build and auto-generates the index page with links to all links.  No error-prone manual update needed!
msg372302 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2020-06-25 05:40
msg372303 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2020-06-25 05:44
There are more features that should have security considerations, e.g. builtin functions like eval and exec.
Date User Action Args
2020-06-25 05:44:28christian.heimessetmessages: + msg372303
2020-06-25 05:40:44christian.heimessetnosy: + christian.heimes
messages: + msg372302
2020-06-24 22:01:55eric.araujosetnosy: + eric.araujo
messages: + msg372288
2020-02-10 23:07:17willingcsetnosy: + willingc
messages: + msg361746
2020-02-10 14:18:35mdksetnosy: + mdk
messages: + msg361697
2020-01-30 05:15:42anthonypjshawsetkeywords: + patch
stage: patch review
pull_requests: + pull_request17647
2020-01-30 05:14:32anthonypjshawcreate