17db96d56Sopenharmony_ci.. _security-warnings: 27db96d56Sopenharmony_ci 37db96d56Sopenharmony_ci.. index:: single: security considerations 47db96d56Sopenharmony_ci 57db96d56Sopenharmony_ciSecurity Considerations 67db96d56Sopenharmony_ci======================= 77db96d56Sopenharmony_ci 87db96d56Sopenharmony_ciThe following modules have specific security considerations: 97db96d56Sopenharmony_ci 107db96d56Sopenharmony_ci* :mod:`base64`: :ref:`base64 security considerations <base64-security>` in 117db96d56Sopenharmony_ci :rfc:`4648` 127db96d56Sopenharmony_ci* :mod:`cgi`: :ref:`CGI security considerations <cgi-security>` 137db96d56Sopenharmony_ci* :mod:`hashlib`: :ref:`all constructors take a "usedforsecurity" keyword-only 147db96d56Sopenharmony_ci argument disabling known insecure and blocked algorithms 157db96d56Sopenharmony_ci <hashlib-usedforsecurity>` 167db96d56Sopenharmony_ci* :mod:`http.server` is not suitable for production use, only implementing 177db96d56Sopenharmony_ci basic security checks. See the :ref:`security considerations <http.server-security>`. 187db96d56Sopenharmony_ci* :mod:`logging`: :ref:`Logging configuration uses eval() 197db96d56Sopenharmony_ci <logging-eval-security>` 207db96d56Sopenharmony_ci* :mod:`multiprocessing`: :ref:`Connection.recv() uses pickle 217db96d56Sopenharmony_ci <multiprocessing-recv-pickle-security>` 227db96d56Sopenharmony_ci* :mod:`pickle`: :ref:`Restricting globals in pickle <pickle-restrict>` 237db96d56Sopenharmony_ci* :mod:`random` shouldn't be used for security purposes, use :mod:`secrets` 247db96d56Sopenharmony_ci instead 257db96d56Sopenharmony_ci* :mod:`shelve`: :ref:`shelve is based on pickle and thus unsuitable for 267db96d56Sopenharmony_ci dealing with untrusted sources <shelve-security>` 277db96d56Sopenharmony_ci* :mod:`ssl`: :ref:`SSL/TLS security considerations <ssl-security>` 287db96d56Sopenharmony_ci* :mod:`subprocess`: :ref:`Subprocess security considerations 297db96d56Sopenharmony_ci <subprocess-security>` 307db96d56Sopenharmony_ci* :mod:`tempfile`: :ref:`mktemp is deprecated due to vulnerability to race 317db96d56Sopenharmony_ci conditions <tempfile-mktemp-deprecated>` 327db96d56Sopenharmony_ci* :mod:`xml`: :ref:`XML vulnerabilities <xml-vulnerabilities>` 337db96d56Sopenharmony_ci* :mod:`zipfile`: :ref:`maliciously prepared .zip files can cause disk volume 347db96d56Sopenharmony_ci exhaustion <zipfile-resources-limitations>` 357db96d56Sopenharmony_ci 367db96d56Sopenharmony_ciThe :option:`-I` command line option can be used to run Python in isolated 377db96d56Sopenharmony_cimode. When it cannot be used, the :option:`-P` option or the 387db96d56Sopenharmony_ci:envvar:`PYTHONSAFEPATH` environment variable can be used to not prepend a 397db96d56Sopenharmony_cipotentially unsafe path to :data:`sys.path` such as the current directory, the 407db96d56Sopenharmony_ciscript's directory or an empty string. 41