Flask: Forking Environments

Question

While going through the Flask Documentation at Flask-Quick Start I came upon the following paragraph.

Attention

Even though the interactive debugger does not work in forking environments (which makes it nearly impossible to use on production servers), it still allows the execution of arbitrary code. This makes it a major security risk and therefore it must never be used on production machines.

I have searched stackoverflow, google, but I'm not able to find what are these "Forking Environments", and how can they allow execution of arbitrary code. If somebody can just point me in the right direction it'll be great!

Answer 1

The sentence before it states:

If you enable debug support the server will reload itself on code changes, and it will also provide you with a helpful debugger if things go wrong.

It is this helpful debugger that allows for execution of arbitrary code; it accepts Python code through the web and can execute that arbitrary code for you on your server.

Don't enable debug mode on production servers, it is saying.

The part about forking environments just tells you that the supplied debugger doesn't work when the process is forked (to handle requests using multiple processes, for example), but you should not be lulled into a false sense of security. Even though the debugger is broken on such environments, it is not broken enough to disable the Python execution functionality.