Security Considerations
The following modules have specific security considerations:
-
cgi: CGI security considerations -
hashlib: all constructors take a “usedforsecurity” keyword-only argument disabling known insecure and blocked algorithms -
http.serveris not suitable for production use, only implementing basic security checks. See the security considerations. -
logging: Logging configuration uses eval() -
multiprocessing: Connection.recv() uses pickle -
pickle: Restricting globals in pickle -
randomshouldn’t be used for security purposes, usesecretsinstead -
shelve: shelve is based on pickle and thus unsuitable for dealing with untrusted sources -
ssl: SSL/TLS security considerations -
subprocess: Subprocess security considerations -
tempfile: mktemp is deprecated due to vulnerability to race conditions -
xml: XML vulnerabilities -
zipfile: maliciously prepared .zip files can cause disk volume exhaustion
© 2001–2022 Python Software Foundation
Licensed under the PSF License.
https://docs.python.org/3.9/library/security_warnings.html