classification
Title: ValueError: insecure string pickle in subprocess.Popen on Python 2
Type: behavior Stage: commit review
Components: Library (Lib), macOS Versions: Python 2.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: gregory.p.smith Nosy List: AlokSinghal, eryksun, gregory.p.smith, ned.deily, python-dev, ronaldoussoren, yan12125
Priority: normal Keywords: patch

Created on 2016-01-11 20:43 by yan12125, last changed 2016-05-28 19:25 by gregory.p.smith. This issue is now closed.

Files
File name Uploaded Description Edit
subprocess.patch AlokSinghal, 2016-05-28 01:52 review
Messages (8)
msg258011 - (view) Author: Chih-Hsuan Yen (yan12125) * Date: 2016-01-11 20:43
Originally reported at [1] and [2].

On Mac OS X, read() on pipes may return only the first 512 bytes. The remaining bytes are not read into `data` in _execute_child(). There's a patch proposal at [3]. I didn't test it myself because I can't reproduce the broken situation.

[1] https://github.com/rg3/youtube-dl/issues/6840
[2] https://github.com/matplotlib/matplotlib/issues/5386
[3] https://github.com/matplotlib/matplotlib/issues/5386#issuecomment-161111817
msg258027 - (view) Author: Gregory P. Smith (gregory.p.smith) * (Python committer) Date: 2016-01-11 21:50
I strongly recommend people use https://pypi.python.org/pypi/subprocess32/ instead of Python 2.7's subprocess module whenever possible.

That said, the fix is pretty easy.
msg258029 - (view) Author: Roundup Robot (python-dev) (Python triager) Date: 2016-01-11 21:57
New changeset 268d13c7e939 by Gregory P. Smith in branch '2.7':
Fixes issue #26083: Workaround a subprocess bug that raised an incorrect
https://hg.python.org/cpython/rev/268d13c7e939
msg258030 - (view) Author: Gregory P. Smith (gregory.p.smith) * (Python committer) Date: 2016-01-11 21:58
note: this was not a security issue nor was it a crash.  an exception was being raised anyways from the forked child prior to the exec(), this bug just caused that to be swallowed and this ValueError raised instead.
msg258035 - (view) Author: Eryk Sun (eryksun) * (Python triager) Date: 2016-01-11 22:15
> I strongly recommend people use https://pypi.python.org/pypi/subprocess32/

I think this warrants a note that draws more attention to itself than the "see also" text.
msg266526 - (view) Author: Alok Singhal (AlokSinghal) * Date: 2016-05-28 01:52
I think there is a small problem with the fix in changeset 268d13c7e939 (msg258029).  It copies the string from the return value of _eintr_retry_call() twice.  I am attaching a trivial fix.
msg266541 - (view) Author: Chih-Hsuan Yen (yan12125) * Date: 2016-05-28 07:06
Great point!
msg266569 - (view) Author: Roundup Robot (python-dev) (Python triager) Date: 2016-05-28 19:25
New changeset 184dfef08a93 by Gregory P. Smith in branch '2.7':
issue26083: Avoid duplicate error message string from a subprocess exec failure.Avoid a duplicate error message string from a subprocess exec failure.
https://hg.python.org/cpython/rev/184dfef08a93
History
Date User Action Args
2016-05-28 19:25:15gregory.p.smithsetstatus: open -> closed
resolution: fixed
2016-05-28 19:25:00python-devsetmessages: + msg266569
2016-05-28 07:06:29yan12125setstatus: closed -> open
resolution: fixed -> (no value)
messages: + msg266541
2016-05-28 01:52:18AlokSinghalsetfiles: + subprocess.patch

nosy: + AlokSinghal
messages: + msg266526

keywords: + patch
2016-01-11 22:15:38eryksunsetnosy: + eryksun
messages: + msg258035
2016-01-11 21:58:32gregory.p.smithsetstatus: open -> closed
type: crash -> behavior
messages: + msg258030

resolution: fixed
stage: commit review
2016-01-11 21:57:05python-devsetnosy: + python-dev
messages: + msg258029
2016-01-11 21:50:17gregory.p.smithsetassignee: gregory.p.smith
messages: + msg258027
2016-01-11 21:14:09ned.deilysetnosy: + gregory.p.smith
2016-01-11 20:43:15yan12125create