Author vstinner
Recipients Junyu Zhang, davin, koobs, pitrou, vstinner, xtreak
Date 2020-03-24.23:02:18
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
> if authkey is not set or leaked, it will cause RCE on the server side

In which situation the authkey can be empty?

Lib/mulitprocessing/ creates an authkey of 256 bits of entropy using:

It's used by default if I understand correctly. I understand that the authkey can only be empty if the developer explicitly pass an empty string to authkey when the manager is created. Am I right?


About leaking the authkey: I don't know how the authkey is transfered to the child processes. Through a pipe controlled by the parent process?


> it will cause RCE on the server side

I read somewhere that multiprocessing is now supposed to accept other serialization protocol than pickle, but I failed to find the documentation :-( pickle remains the default.
Date User Action Args
2020-03-24 23:02:19vstinnersetrecipients: + vstinner, pitrou, koobs, davin, xtreak, Junyu Zhang
2020-03-24 23:02:19vstinnersetmessageid: <>
2020-03-24 23:02:19vstinnerlinkissue40039 messages
2020-03-24 23:02:18vstinnercreate