Skip to content

gh-144484: Warn users not to use wsgiref in production #144487

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
sethmlarson merged 1 commit into from
Feb 5, 2026
Merged

gh-144484: Warn users not to use wsgiref in production #144487

sethmlarson merged 1 commit into from
Feb 5, 2026
+5 −0

Conversation

@sethmlarson
Copy link
Contributor

@sethmlarson sethmlarson commented Feb 4, 2026
edited by github-actions bot
Loading

Follow-up from the precautionary CVE for wsgiref, where even though the module is documented as a reference implementation (instead of production-ready), there isn't any explicit docs for this like other modules with this property (eg: http.server).

📚 Documentation preview 📚: https://cpython-previews--144487.org.readthedocs.build/

@bedevere-app bedevere-app bot added awaiting review docs Documentation in the Doc dir skip news labels Feb 4, 2026
@bedevere-app bedevere-app bot mentioned this pull request Feb 4, 2026
Closed
@github-project-automation github-project-automation bot moved this to Todo in Docs PRs Feb 4, 2026
@benediktjohannes
Copy link
Contributor

benediktjohannes commented Feb 5, 2026

LGTM

vstinner
vstinner approved these changes Feb 5, 2026
View reviewed changes
Copy link
Member

@vstinner vstinner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

https://docs.python.org/dev/library/http.server.html has a similar banner but it also has a "Security considerations" section.

@vstinner vstinner added needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes labels Feb 5, 2026
@sethmlarson sethmlarson merged commit 7e777c5 into python:main Feb 5, 2026
44 checks passed
@sethmlarson sethmlarson deleted the wsgiref-security-warning branch February 5, 2026 15:43
@github-project-automation github-project-automation bot moved this from Todo to Done in Docs PRs Feb 5, 2026
@miss-islington-app
Copy link

miss-islington-app bot commented Feb 5, 2026

Thanks @sethmlarson for the PR 🌮🎉.. I'm working now to backport this PR to: 3.13, 3.14.
🐍🍒⛏🤖 I'm not a witch! I'm not a witch!

@vstinner vstinner added needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes and removed needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes labels Feb 5, 2026
@miss-islington-app
Copy link

miss-islington-app bot commented Feb 5, 2026

Thanks @sethmlarson for the PR 🌮🎉.. I'm working now to backport this PR to: 3.13.
🐍🍒⛏🤖

@miss-islington-app
Copy link

miss-islington-app bot commented Feb 5, 2026

Thanks @sethmlarson for the PR 🌮🎉.. I'm working now to backport this PR to: 3.14.
🐍🍒⛏🤖

@miss-islington-app
Copy link

miss-islington-app bot commented Feb 5, 2026

Sorry, @sethmlarson, I could not cleanly backport this to 3.13 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 7e777c587f01434ac5eea3d63d096f191278dad2 3.13

@miss-islington-app
Copy link

miss-islington-app bot commented Feb 5, 2026

Sorry, @sethmlarson, I could not cleanly backport this to 3.14 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 7e777c587f01434ac5eea3d63d096f191278dad2 3.14

@vstinner
Copy link
Member

vstinner commented Feb 5, 2026

Aha, it seems like you should backport the change manually to 3.14.

@StanFromIreland
Copy link
Member

StanFromIreland commented Feb 5, 2026
edited
Loading

Aha, it seems like you should backport the change manually to 3.14.

The bot got confused, backports have already been merged #144511 / #144512.

Should this not be treated as a security fix and backported all the way?

@StanFromIreland StanFromIreland removed the needs backport to 3.13 bugs and security fixes label Feb 5, 2026
@StanFromIreland StanFromIreland removed the needs backport to 3.14 bugs and security fixes label Feb 5, 2026
@sethmlarson
Copy link
Contributor Author

sethmlarson commented Feb 5, 2026

@StanFromIreland I believe it should be handled as a security-related change.

@sethmlarson sethmlarson added needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes needs backport to 3.12 only security fixes labels Feb 5, 2026
@miss-islington-app
Copy link

miss-islington-app bot commented Feb 5, 2026

Thanks @sethmlarson for the PR 🌮🎉.. I'm working now to backport this PR to: 3.10.
🐍🍒⛏🤖

@miss-islington-app
Copy link

miss-islington-app bot commented Feb 5, 2026

Thanks @sethmlarson for the PR 🌮🎉.. I'm working now to backport this PR to: 3.11.
🐍🍒⛏🤖

@miss-islington-app
Copy link

miss-islington-app bot commented Feb 5, 2026

Thanks @sethmlarson for the PR 🌮🎉.. I'm working now to backport this PR to: 3.12.
🐍🍒⛏🤖

@StanFromIreland
Copy link
Member

StanFromIreland commented Feb 5, 2026
edited
Loading

The bot made the PRs: #144523 #144522 #144521

@StanFromIreland StanFromIreland removed needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes needs backport to 3.12 only security fixes labels Feb 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vstinner vstinner vstinner approved these changes

Assignees

@sethmlarson sethmlarson

Labels

docs Documentation in the Doc dir skip news

Projects

Docs PRs
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@sethmlarson @benediktjohannes @vstinner @StanFromIreland