Issue 25565: subprocess.Popen creates inheritable file descriptors on Windows, can leak to other child processes

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

This issue has been migrated to GitHub: https://github.com/python/cpython/issues/69751

classification

Title:	subprocess.Popen creates inheritable file descriptors on Windows, can leak to other child processes
Type:	security	Stage:	resolved
Components:	Library (Lib)	Versions:	Python 3.5

process

Status:	closed	Resolution:	duplicate
Dependencies:		Superseder:	Windows: subprocess.Popen: race condition for leaking inheritable handles View: 24909
Assigned To:		Nosy List:	matrixise, oconnor663, r.david.murray
Priority:	normal	Keywords:

Created on 2015-11-06 05:22 by oconnor663, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Messages (5)
msg254168 - (view)	Author: Jack O'Connor (oconnor663) *	Date: 2015-11-06 05:22
The Windows implementation of Popen calls _make_inheritable(), which creates inheritable copies of Popen's file descriptors. If two Popen calls happen at the same time on different threads, these descriptors can leak to both child processes. Here's a demonstration of a deadlock caused by this bug: https://gist.github.com/oconnor663/b1d39d58b232fc627d84 Victor Stinner also wrote up a summary of the security issues associated with leaking file descriptors in PEP 0446. A workaround for this issue is to protect all Popen calls with a lock. Calls to wait() and communicate() don't need to be protected, so you can release the lock before you make those blocking calls. I don't see a way to safely use run() or the other convenience functions, if you're using pipes and multiple threads. Unfortunately close_fds=True is not allowed on Windows when any of stdin/stdout/stderr are set, which is going the be the case here. Would it be feasible for Popen.__init__() to automatically protect the inheritable copies it creates, with a lock around that section? We already have the _waitpid_lock for POSIX, so it seems like thread safety is a goal.
msg254187 - (view)	Author: R. David Murray (r.david.murray) *	Date: 2015-11-06 13:11
This looks like a duplicate of issue 24909?
msg254188 - (view)	Author: Stéphane Wirtel (matrixise) *	Date: 2015-11-06 13:12
yep, maybe, because in the other issue, it's about a race condition. similar.
msg254190 - (view)	Author: Jack O'Connor (oconnor663) *	Date: 2015-11-06 13:31
Definitely a duplicate, thanks for pointing me to the original. Should I mark it resolved, or let someone from the project do that?
msg254192 - (view)	Author: Stéphane Wirtel (matrixise) *	Date: 2015-11-06 13:38
I don't have the right to close it. can you close it ? Thanks

History
Date	User	Action	Args
2022-04-11 14:58:23	admin	set	github: 69751
2015-11-06 13:59:48	eryksun	set	status: open -> closed superseder: Windows: subprocess.Popen: race condition for leaking inheritable handles resolution: duplicate stage: resolved
2015-11-06 13:38:54	matrixise	set	messages: + msg254192
2015-11-06 13:31:16	oconnor663	set	messages: + msg254190
2015-11-06 13:12:41	matrixise	set	nosy: + matrixise messages: + msg254188
2015-11-06 13:11:26	r.david.murray	set	nosy: + r.david.murray messages: + msg254187
2015-11-06 05:22:27	oconnor663	create