Message 364867 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	vstinner
Recipients	Junyu Zhang, davin, koobs, pitrou, vstinner, xtreak
Date	2020-03-23.17:30:39
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1584984639.51.0.564203654701.issue40039@roundup.psfhosted.org>
In-reply-to

Content
Lib/multiprocessing/connection.py uses a challenge to authenticate the client. How do you connect to the server? Yes, it's known that pickle is not safe, there is a big red warning at the top of the doc: https://docs.python.org/dev/library/pickle.html But please elaborate your attack scenario. How do you execute arbitrary code on a server? How do you inject code?

Lib/multiprocessing/connection.py uses a challenge to authenticate the client. How do you connect to the server?

Yes, it's known that pickle is not safe, there is a big red warning at the top of the doc:
https://docs.python.org/dev/library/pickle.html

But please elaborate your attack scenario. How do you execute arbitrary code on a server? How do you inject code?

History
Date	User	Action	Args
2020-03-23 17:30:39	vstinner	set	recipients: + vstinner, pitrou, koobs, davin, xtreak, Junyu Zhang
2020-03-23 17:30:39	vstinner	set	messageid: <1584984639.51.0.564203654701.issue40039@roundup.psfhosted.org>
2020-03-23 17:30:39	vstinner	link	issue40039 messages
2020-03-23 17:30:39	vstinner	create