This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author vstinner
Recipients Junyu Zhang, davin, koobs, pitrou, vstinner, xtreak
Date 2020-03-24.23:02:18
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1585090939.06.0.445230636753.issue40039@roundup.psfhosted.org>
In-reply-to
Content
> if authkey is not set or leaked, it will cause RCE on the server side

In which situation the authkey can be empty?

Lib/mulitprocessing/process.py creates an authkey of 256 bits of entropy using:
AuthenticationString(os.urandom(32))

It's used by default if I understand correctly. I understand that the authkey can only be empty if the developer explicitly pass an empty string to authkey when the manager is created. Am I right?

--

About leaking the authkey: I don't know how the authkey is transfered to the child processes. Through a pipe controlled by the parent process?

--

> it will cause RCE on the server side

I read somewhere that multiprocessing is now supposed to accept other serialization protocol than pickle, but I failed to find the documentation :-( pickle remains the default.
History
Date User Action Args
2020-03-24 23:02:19vstinnersetrecipients: + vstinner, pitrou, koobs, davin, xtreak, Junyu Zhang
2020-03-24 23:02:19vstinnersetmessageid: <1585090939.06.0.445230636753.issue40039@roundup.psfhosted.org>
2020-03-24 23:02:19vstinnerlinkissue40039 messages
2020-03-24 23:02:18vstinnercreate