This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author vstinner
Recipients vinay.sajip, vstinner
Date 2019-02-18.11:33:48
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1550489629.06.0.617228042317.issue36022@roundup.psfhosted.org>
In-reply-to
Content 
The issue has been reported by Alexandre D'Hondt to th PSRT.

I only selected Python 3.8 version, since currently, logging.config explicitly *documents* that eval() is used. Example:

https://docs.python.org/3/library/logging.config.html#logging.config.listen

This issue is not a security vulnerability: you shouldn't let your users modify your logging configuration.

Alex Gaynor asked: "Does anyone know whether the logging config is considered to be equally privileged to the code using it or not?"

Paul McMillan wrote: "This does not qualify for a CVE. Allowing someone else to configure your logging endpoints would result in significant harm to your app in any language. For instance, in many applications you could turn the log level to debug, and then capture things like database credentials. Additionally, this behavior is extremely clearly documented with a callout warning, and is thus expected behavior."

(Quotes from private PSRT list.)
History
Date User Action Args
2019-02-18 11:33:49vstinnersetrecipients: + vstinner, vinay.sajip
2019-02-18 11:33:49vstinnersetmessageid: <1550489629.06.0.617228042317.issue36022@roundup.psfhosted.org>
2019-02-18 11:33:49vstinnerlinkissue36022 messages
2019-02-18 11:33:48vstinnercreate