Message364966
> if authkey is not set or leaked, it will cause RCE on the server side
In which situation the authkey can be empty?
Lib/mulitprocessing/process.py creates an authkey of 256 bits of entropy using:
AuthenticationString(os.urandom(32))
It's used by default if I understand correctly. I understand that the authkey can only be empty if the developer explicitly pass an empty string to authkey when the manager is created. Am I right?
--
About leaking the authkey: I don't know how the authkey is transfered to the child processes. Through a pipe controlled by the parent process?
--
> it will cause RCE on the server side
I read somewhere that multiprocessing is now supposed to accept other serialization protocol than pickle, but I failed to find the documentation :-( pickle remains the default. |
|
Date |
User |
Action |
Args |
2020-03-24 23:02:19 | vstinner | set | recipients:
+ vstinner, pitrou, koobs, davin, xtreak, Junyu Zhang |
2020-03-24 23:02:19 | vstinner | set | messageid: <1585090939.06.0.445230636753.issue40039@roundup.psfhosted.org> |
2020-03-24 23:02:19 | vstinner | link | issue40039 messages |
2020-03-24 23:02:18 | vstinner | create | |
|