Security Considerations

The following modules have specific security considerations:

• cgi: CGI security considerations
• hashlib: all constructors take a “usedforsecurity” keyword-only argument disabling known insecure and blocked algorithms
• http.server is not suitable for production use, only implementing basic security checks
• logging: Logging configuration uses eval()
• multiprocessing: Connection.recv() uses pickle
• pickle: Restricting globals in pickle
• random shouldn’t be used for security purposes, use secrets instead
• shelve: shelve is based on pickle and thus unsuitable for dealing with untrusted sources
• ssl: SSL/TLS security considerations
• subprocess: Subprocess security considerations
• tempfile: mktemp is deprecated due to vulnerability to race conditions
• xml: XML vulnerabilities
• zipfile: maliciously prepared .zip files can cause disk volume exhaustion