git.ipfire.org Git - thirdparty/Python/cpython.git/commit

[3.9] gh-97514: Don't use Linux abstract sockets for multiprocessing (GH-98501) (#98504)

Linux abstract sockets are insecure as they lack any form of filesystem
permissions so their use allows anyone on the system to inject code into
the process.

This removes the default preference for abstract sockets in
multiprocessing introduced in Python 3.9+ via
https://github.com/python/cpython/pull/18866 while fixing
https://github.com/python/cpython/issues/84031.

Explicit use of an abstract socket by a user now generates a
RuntimeWarning. If we choose to keep this warning, it should be
backported to the 3.7 and 3.8 branches.
(cherry picked from commit 49f61068f49747164988ffc5a442d2a63874fc17)

Co-authored-by: Gregory P. Smith <greg@krypto.org>

author	Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
	Fri, 28 Oct 2022 10:08:30 +0000 (03:08 -0700)
committer	GitHub <noreply@github.com>
	Fri, 28 Oct 2022 10:08:30 +0000 (12:08 +0200)
commit	b43496c01a554cf41ae654a0379efae18609ad39
tree	5c53fae3c8f1c3d953215427a9762d58b21f3f78	tree \| snapshot
parent	857efee6d2d43c5c12fc7e377ce437144c728ab8	commit \| diff

Lib/multiprocessing/connection.py		diff \| blob \| blame \| history
Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst	[new file with mode: 0644]	blob