Hello guys,
While working at a dispatcher using
multiprocessing.connection.Listener module I've stumbled upon some
sort of magic trick that amazed me. How is this possible and
what does multiprocessing library doing in background for this to
work?
Most of Python's sharing routines (including multiprocessing
"send", in this case) use the pickle routines to package data
for transport between processes.
Thus, you can "see the magic" pretty simply:
Here I just use pickle.dumps() to return (and print, since we are
in the interpreter) the string representation that client.send()
will send:
Server, 3.2
Help on function copy in module shutil:
[snip]
On this end, the (different) version of python simply unpickles the
byte stream. Starting a new python session (to get rid of any
previous imports):
$ python
...Help on function copy in module shutil:
...
The real magic is in the unpickler, which has figured out how to
access shutil.copy without importing shutil into the global namespace:
Traceback (most recent call last):
but we can expose that magic as well, by feeding pickle.loads()
a "bad" string:
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/System/Library/Frameworks/Python.framework/Versions/2.5/lib/python2.5/pickle.py", line 1374, in loads
return Unpickler(file).load()
File "/System/Library/Frameworks/Python.framework/Versions/2.5/lib/python2.5/pickle.py", line 858, in load
dispatch[key](self)
File "/System/Library/Frameworks/Python.framework/Versions/2.5/lib/python2.5/pickle.py", line 1090, in load_global
klass = self.find_class(module, name)
File "/System/Library/Frameworks/Python.framework/Versions/2.5/lib/python2.5/pickle.py", line 1124, in find_class
__import__(module)
ImportError: No module named NotAModule
Note the rather total lack of security here -- in the receiver, by
doing con.recv(), you are trusting the sender not to send you a
"dangerous" or invalid pickle-data-stream. This is why the documentation
includes the following:
Warning: The Connection.recv() method automatically unpickles
the data it receives, which can be a security risk unless you
can trust the process which sent the message.
Therefore, unless the connection object was produced using Pipe()
you should only use the recv() and send() methods after performing
some sort of authentication. See Authentication keys.
(i.e., do that
-- see the associated section on authentication)