Message 254168 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	oconnor663
Recipients	oconnor663
Date	2015-11-06.05:22:26
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1446787347.51.0.846654506724.issue25565@psf.upfronthosting.co.za>
In-reply-to

Content
The Windows implementation of Popen calls _make_inheritable(), which creates inheritable copies of Popen's file descriptors. If two Popen calls happen at the same time on different threads, these descriptors can leak to both child processes. Here's a demonstration of a deadlock caused by this bug: https://gist.github.com/oconnor663/b1d39d58b232fc627d84 Victor Stinner also wrote up a summary of the security issues associated with leaking file descriptors in PEP 0446. A workaround for this issue is to protect all Popen calls with a lock. Calls to wait() and communicate() don't need to be protected, so you can release the lock before you make those blocking calls. I don't see a way to safely use run() or the other convenience functions, if you're using pipes and multiple threads. Unfortunately close_fds=True is not allowed on Windows when any of stdin/stdout/stderr are set, which is going the be the case here. Would it be feasible for Popen.__init__() to automatically protect the inheritable copies it creates, with a lock around that section? We already have the _waitpid_lock for POSIX, so it seems like thread safety is a goal.

The Windows implementation of Popen calls _make_inheritable(), which creates inheritable copies of Popen's file descriptors. If two Popen calls happen at the same time on different threads, these descriptors can leak to both child processes. Here's a demonstration of a deadlock caused by this bug:

https://gist.github.com/oconnor663/b1d39d58b232fc627d84

Victor Stinner also wrote up a summary of the security issues associated with leaking file descriptors in PEP 0446.

A workaround for this issue is to protect all Popen calls with a lock. Calls to wait() and communicate() don't need to be protected, so you can release the lock before you make those blocking calls. I don't see a way to safely use run() or the other convenience functions, if you're using pipes and multiple threads. Unfortunately close_fds=True is not allowed on Windows when any of stdin/stdout/stderr are set, which is going the be the case here.

Would it be feasible for Popen.__init__() to automatically protect the inheritable copies it creates, with a lock around that section? We already have the _waitpid_lock for POSIX, so it seems like thread safety is a goal.

History
Date	User	Action	Args
2015-11-06 05:22:27	oconnor663	set	recipients: + oconnor663
2015-11-06 05:22:27	oconnor663	set	messageid: <1446787347.51.0.846654506724.issue25565@psf.upfronthosting.co.za>
2015-11-06 05:22:27	oconnor663	link	issue25565 messages
2015-11-06 05:22:26	oconnor663	create