STINNER Victor <vstin...@python.org> added the comment:
> if authkey is not set or leaked, it will cause RCE on the server side In which situation the authkey can be empty? Lib/mulitprocessing/process.py creates an authkey of 256 bits of entropy using: AuthenticationString(os.urandom(32)) It's used by default if I understand correctly. I understand that the authkey can only be empty if the developer explicitly pass an empty string to authkey when the manager is created. Am I right? -- About leaking the authkey: I don't know how the authkey is transfered to the child processes. Through a pipe controlled by the parent process? -- > it will cause RCE on the server side I read somewhere that multiprocessing is now supposed to accept other serialization protocol than pickle, but I failed to find the documentation :-( pickle remains the default. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue40039> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
