The following modules have specific security considerations:
hashlib
:
all constructors take a “usedforsecurity” keyword-only argument disabling known insecure and blocked algorithms
http.server
is not suitable for production use, only implementing basic security checks
random
shouldn’t be used for security purposes, use
secrets
instead
shelve
:
shelve is based on pickle and thus unsuitable for dealing with untrusted sources
tempfile
:
mktemp is deprecated due to vulnerability to race conditions
zipfile
:
maliciously prepared .zip files can cause disk volume exhaustion
