{"id":4481,"library":"config","title":"Config","description":"Config is a Python module that provides a hierarchical, easy-to-use, and powerful configuration scheme. It supports mappings, sequences, cross-references between configuration parts, flexible access to Python objects, includes, simple expression evaluation, and the ability to change, save, cascade, and merge configurations. It also interfaces easily with environment variables and command-line options. The current version is 0.5.1 and it appears to be actively maintained, with the latest release in September 2021 and recent mentions in 2025-2026 as stable.","status":"active","version":"0.5.1","language":"en","source_language":"en","source_url":"http://docs.red-dove.com/cfg/python.html","tags":["configuration","hierarchical","parser","ini-like","environment variables","cross-references"],"install":[{"cmd":"pip install config","lang":"bash","label":"Install latest version"}],"dependencies":[],"imports":[{"symbol":"Config","correct":"from config import Config"},{"note":"The module may also expose top-level functions, such as `config.create()` mentioned in some examples, for simpler setup without direct `Config` class instantiation.","symbol":"config module functions","correct":"import config"}],"quickstart":{"code":"import os\nfrom config import Config\n\n# Create a dummy config file for demonstration\nconfig_content = \"\"\"\n[DEFAULT]\nlog_level: INFO\ndata_path: /var/data\n\n[server]\nhost: 127.0.0.1\nport: ${server.default_port|8080}\nbase_url: http://${server.host}:${server.port}\n\n[database]\ntype: postgres\nhost: db.example.com\nuser: ${DB_USER|guest}\npassword: ${DB_PASSWORD|}\n\"\"\"\n\nwith open('example.cfg', 'w') as f:\n    f.write(config_content)\n\n# Set environment variables for demonstration\nos.environ['DB_USER'] = 'admin'\nos.environ['DB_PASSWORD'] = os.environ.get('TEST_DB_PASSWORD', 's3cr3t_p@ssw0rd')\n\n# Load the configuration\ncfg = Config('example.cfg')\n\n# Access configuration values\nprint(f\"Log Level: {cfg.log_level}\")\nprint(f\"Server Host: {cfg.server.host}\")\nprint(f\"Server Port: {cfg.server.port}\")\nprint(f\"Base URL: {cfg.server.base_url}\")\nprint(f\"DB User: {cfg.database.user}\")\nprint(f\"DB Password: {cfg.database.password}\")\n\n# Clean up the dummy config file\nos.remove('example.cfg')\n\n# Example of overriding a default with an environment variable\n# The config file specifies `default_port: 8080`, but the example config uses a direct reference.\n# Let's show how an environment variable for `DB_USER` works.\n# Expected output for DB User: admin (from environment variable)\n# Expected output for DB Password: s3cr3t_p@ssw0rd (from environment variable, if TEST_DB_PASSWORD is not set)\n","lang":"python","description":"This quickstart demonstrates how to load a configuration from a file using the `Config` class. It shows how to define sections, key-value pairs, references to other configuration values (e.g., `base_url`), and how to inject values from environment variables (e.g., `DB_USER`, `DB_PASSWORD`) with optional default fallbacks."},"warnings":[{"fix":"Review and update existing `.cfg` files to conform to the latest CFG format syntax, particularly for boolean/null literals and cross-reference patterns.","message":"The underlying CFG configuration format used by this library introduced changes in syntax. Specifically, boolean and null literals changed from Python's `True`, `False`, `None` to JSON-compatible `true`, `false`, `null`. Also, cross-references evolved from `$A.B.C` to `${A.B.C}` for improved expressivity. Older configuration files using the deprecated syntax may fail to parse or produce unexpected results with newer versions of the library that adhere to the updated CFG format specification.","severity":"breaking","affected_versions":"Versions 0.5.x and later, if upgrading from very old versions (pre-0.5.0) that used a different CFG format specification."},{"fix":"Always ensure configuration files come from trusted sources. Sanitize or validate complex configuration values if there's any doubt about their origin or content. Avoid allowing arbitrary object instantiation or method calls if security is paramount and config sources are not fully controlled.","message":"The library offers 'flexible access to real Python objects without full-blown eval()' as a feature. While this avoids direct `eval()`, constructing complex Python objects or invoking methods based on configuration values can still pose a security risk if configuration files are sourced from untrusted inputs, potentially leading to unintended code execution or resource manipulation.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Utilize environment variables (e.g., `os.environ.get('SECRET_KEY')`) or a dedicated secret management solution for sensitive data. Use environment variable fallbacks in your configuration files as demonstrated in the quickstart (e.g., `password: ${DB_PASSWORD|}`).","message":"As with any configuration management system, storing sensitive information (e.g., API keys, database credentials) directly in plain text configuration files is a security risk. While the library supports environment variable integration, hardcoding secrets is a common footgun.","severity":"gotcha","affected_versions":"All versions"}],"env_vars":null,"last_verified":"2026-04-12T00:00:00.000Z","next_check":"2026-07-11T00:00:00.000Z"}