Merge pull request #567 from tableau/dleskosky_security_doc_update

dleskosky · web-flow · commit 4b9e3d8e2a1c · 2022-10-06T09:19:55.000-07:00
security doc update to let users know to use most recent version of Python
diff --git a/docs/security.md b/docs/security.md
@@ -17,3 +17,7 @@ you may want to consider the following as you use TabPy:
 - Execution of ad-hoc Python scripts can be disabled by turning off the
   /evaluate endpoint. To disable /evaluate endpoint, set "TABPY_EVALUATE_ENABLE"
   to false in config file.
+- Always use the most up-to-date version of Python.
+  TabPy relies on Tornado and if older verions of Python are used with Tornado
+  then malicious users can potentially poison Python server web caches
+  with parameter cloaking.
