PEP 446: rephrase the Security Vulnerability section

2013-08-15 11:38:10 +02:00 · 2013-08-15 11:38:10 +02:00 · 2c51e21d3b
parent 1f5389735d
commit 2c51e21d3b
1 changed files with 10 additions and 12 deletions
--- a/pep-0446.txt
+++ b/pep-0446.txt
@ -170,18 +170,11 @@ Example of issues in open source projects:
 Security Vulnerability
 ----------------------

-Leaking file descriptors is also a well known security vulnerability:
-read
-`FIO42-C. Ensure files are properly closed when they are no longer
-needed
-<https://www.securecoding.cert.org/confluence/display/seccode/FIO42-C.+Ensure+files+are+properly+closed+when+they+are+no+longer+needed>`_
-of the CERT.
-
-An untrusted child process can read sensitive data like passwords and
-take control of the parent process though leaked file descriptors. It is
-for example a way to escape from a chroot. With a leaked listening
-socket, a child process can accept new connections to read sensitive
-data.
+Leaking sensitive file handles and file descriptors can lead to security
+vulnerabilities. An untrusted child process can read sensitive data like
+passwords and take control of the parent process though leaked file
+descriptors. With a leaked listening socket, a child process can accept
+new connections to read sensitive data.

 Example of vulnerabilities:

@ -199,6 +192,11 @@ Example of vulnerabilities:
  <http://www.openssh.com/txt/portable-keysign-rand-helper.adv>`_
  (2011)

+Read also the CERT Secure Coding Standards:
+`FIO42-C. Ensure files are properly closed when they are no longer
+needed
+<https://www.securecoding.cert.org/confluence/display/seccode/FIO42-C.+Ensure+files+are+properly+closed+when+they+are+no+longer+needed>`_.
+

 Issues fixed in the subprocess module
 -------------------------------------