2021-08-10 08:35:51 +10:00
|
|
|
.. _security-warnings:
|
|
|
|
|
|
|
|
|
|
.. index:: single: security considerations
|
|
|
|
|
|
|
|
|
|
Security Considerations
|
|
|
|
|
=======================
|
|
|
|
|
|
|
|
|
|
The following modules have specific security considerations:
|
|
|
|
|
|
2021-08-13 06:58:55 -04:00
|
|
|
* :mod:`base64`: :ref:`base64 security considerations <base64-security>` in
|
|
|
|
|
:rfc:`4648`
|
2021-08-10 08:35:51 +10:00
|
|
|
* :mod:`cgi`: :ref:`CGI security considerations <cgi-security>`
|
|
|
|
|
* :mod:`hashlib`: :ref:`all constructors take a "usedforsecurity" keyword-only
|
|
|
|
|
argument disabling known insecure and blocked algorithms
|
|
|
|
|
<hashlib-usedforsecurity>`
|
|
|
|
|
* :mod:`http.server` is not suitable for production use, only implementing
|
|
|
|
|
basic security checks
|
|
|
|
|
* :mod:`logging`: :ref:`Logging configuration uses eval()
|
|
|
|
|
<logging-eval-security>`
|
|
|
|
|
* :mod:`multiprocessing`: :ref:`Connection.recv() uses pickle
|
|
|
|
|
<multiprocessing-recv-pickle-security>`
|
|
|
|
|
* :mod:`pickle`: :ref:`Restricting globals in pickle <pickle-restrict>`
|
|
|
|
|
* :mod:`random` shouldn't be used for security purposes, use :mod:`secrets`
|
|
|
|
|
instead
|
|
|
|
|
* :mod:`shelve`: :ref:`shelve is based on pickle and thus unsuitable for
|
|
|
|
|
dealing with untrusted sources <shelve-security>`
|
|
|
|
|
* :mod:`ssl`: :ref:`SSL/TLS security considerations <ssl-security>`
|
|
|
|
|
* :mod:`subprocess`: :ref:`Subprocess security considerations
|
|
|
|
|
<subprocess-security>`
|
|
|
|
|
* :mod:`tempfile`: :ref:`mktemp is deprecated due to vulnerability to race
|
|
|
|
|
conditions <tempfile-mktemp-deprecated>`
|
|
|
|
|
* :mod:`xml`: :ref:`XML vulnerabilities <xml-vulnerabilities>`
|
|
|
|
|
* :mod:`zipfile`: :ref:`maliciously prepared .zip files can cause disk volume
|
|
|
|
|
exhaustion <zipfile-resources-limitations>`
|
