[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Ned Deily added the comment: New changeset 5c17dfc5d70ce88be99bc5769b91ce79d7a90d61 by Senthil Kumaran in branch '3.6': [3.6] bpo-42967: only use '&' as a query string separator (GH-24297) (GH-24532) https://github.com/python/cpython/commit/5c17dfc5d70ce88be99bc5769b91ce79d7a90d61

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Ned Deily added the comment: New changeset d0d4d30882fe3ab9b1badbecf5d15d94326fd13e by Senthil Kumaran in branch '3.7': [3.7] bpo-42967: only use '&' as a query string separator (GH-24297) (GH-24531) https://github.com/python/cpython/commit/d0d4d30882fe3ab9b1badbecf5d15d94326fd13e

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Łukasz Langa added the comment: New changeset e3110c3cfbb7daa690d54d0eff6c264c870a71bf by Senthil Kumaran in branch '3.8': [3.8] bpo-42967: only use '&' as a query string separator (GH-24297) (#24529) https://github.com/python/cpython/commit/e3110c3cfbb7daa690d54d0eff6c264c870a71bf

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Senthil Kumaran added the comment: New changeset c9f07813ab8e664d8c34413c4fc2d4f86c061a92 by Senthil Kumaran in branch '3.9': [3.9] bpo-42967: only use '&' as a query string separator (GH-24297) (#24528) https://github.com/python/cpython/commit/c9f07813ab8e664d8c34413c4fc2d4f86c061a92

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Senthil Kumaran added the comment: New changeset a2f0654b0a5b4c4f726155620002cc1f5f2d206a by Ken Jin in branch 'master': bpo-42967: Fix urllib.parse docs and make logic clearer (GH-24536) https://github.com/python/cpython/commit/a2f0654b0a5b4c4f726155620002cc1f5f2d206a --

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Change by Ken Jin : -- pull_requests: +23323 pull_request: https://github.com/python/cpython/pull/24536 ___ Python tracker ___ ___

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

STINNER Victor added the comment: I agree with changing the default in Python 3.6-3.10. -- ___ Python tracker ___ ___

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Change by Senthil Kumaran : -- pull_requests: +23319 pull_request: https://github.com/python/cpython/pull/24532 ___ Python tracker ___

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Change by Senthil Kumaran : -- pull_requests: +23318 pull_request: https://github.com/python/cpython/pull/24531 ___ Python tracker ___

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Change by Senthil Kumaran : -- pull_requests: +23316 pull_request: https://github.com/python/cpython/pull/24529 ___ Python tracker ___

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Change by Senthil Kumaran : -- pull_requests: +23315 pull_request: https://github.com/python/cpython/pull/24528 ___ Python tracker ___

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Senthil Kumaran added the comment: New changeset fcbe0cb04d35189401c0c880ebfb4311e952d776 by Adam Goldschmidt in branch 'master': bpo-42967: only use '&' as a query string separator (#24297) https://github.com/python/cpython/commit/fcbe0cb04d35189401c0c880ebfb4311e952d776 --

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Senthil Kumaran added the comment: Éric, I considered the possibility of bringing it in python-dev, but thought it could be decided in this ticket itself. 1. This was already brought up by multiple Release Managers in Python-dev, and some conversation seems to have happened there

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Éric Araujo added the comment: I also have concerns about specifics of the implementation (see PR) and in general the behaviour change in point releases. Maybe have a thread on python-dev? -- ___ Python tracker

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Senthil Kumaran added the comment: I finished reviewing this PR https://github.com/python/cpython/pull/24297 With the contexts given in W3C recommendation, Synk.io Security Report and pattern of usage in libraries like werkzeug and bottle, instead of ignoring this and letting this behavior

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Senthil Kumaran added the comment: I meant, "I did some research, but couldn't come away conclusively". -- ___ Python tracker ___

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Senthil Kumaran added the comment: Sorry for that, Ned. I will take a decision on this by Saturday (13-Feb). I did some research, but could come way conclusively. I have not heard any opinions (+ves or -ves) on this. This will be a breaking change, so necessary to support it with

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Ned Deily added the comment: Ping. This issue has been delaying 3.7.x and 3.6.x security releases. I would prefer to have it resolved before releasing. -- ___ Python tracker

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Senthil Kumaran added the comment: Ned, and others watching. In future versions of Python, we can use only "&" based separator. But I am not certain what should be proposed for the older releases of Python. Adam's Patch is a good one to specify explicitly specify the separator, but it

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Change by Senthil Kumaran : -- assignee: -> orsenthil ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Ned Deily added the comment: Resolution of this issue is blocking 3.7.x and 3.6.x security releases and threatens to block upcoming maintenance releases. -- nosy: +lukasz.langa, ned.deily priority: normal -> release blocker ___ Python tracker

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Éric Araujo added the comment: Senthil, what is your opinion here? -- ___ Python tracker ___ ___ Python-bugs-list mailing list

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Adam Goldschmidt added the comment: > The difference is that semicolon is defined in a previous specification. I understand, but this will limit us in the future if the spec changes - though I don't have strong feelings regarding this one. > Dear all, now that Adam has signed the CLA, I have

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Ken Jin added the comment: Dear all, now that Adam has signed the CLA, I have closed my PR in favor of Adam's because I think 2 open PRs might split everyone's attention. Instead, I'll focus on reviewing Adam's PR. Sorry for any inconvenience caused. --

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Éric Araujo added the comment: The difference is that semicolon is defined in a previous specification. I don’t see this change as providing support for custom delimiters in URL parsing, but offering an option to pick between two specifications. --

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Adam Goldschmidt added the comment: > That doesn’t feel necessary to me. I suspect most links use &, some use ;, > nothing else is valid at the moment and I don’t expect a new separator to > suddenly appear. IMO the boolean parameter to also recognize ; was better. That's reasonable.

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Adam Goldschmidt added the comment: > I _didn't_ change the default - it will allow both '&' and ';' still. Eric > showed a link above that still uses semicolon. So I feel that it's strange to > break backwards compatibility in a patch update. Maybe we can make just '&' > the default in

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Éric Araujo added the comment: > I feel like if we are to implement this, we should let the developer choose > the separator and not limit to just `&` and `;` That doesn’t feel necessary to me. I suspect most links use &, some use ;, nothing else is valid at the moment and I don’t expect a

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Ken Jin added the comment: I updated the PR to take in a sequence of separators from the user - eg: >>> urllib.parse.parse_qsl('a=1=2;c=3', separators=('&', ';')) [('a', '1'), ('b', '2'), ('c', '3')] >>> urllib.parse.parse_qsl('a=1=2;c=3', separators=('&',)) [('a', '1'), ('b', '2;c=3')] I

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Ken Jin added the comment: @Adam: >I haven't noticed, I'm sorry. I don't mind closing mine, just thought it could >be a nice first contribution. No worries :), please don't close yours. > Our PRs are different though - I feel like if we are to implement this, we > should let the

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Éric Araujo added the comment: Too bad that semicolon is not recommended nowadays, it was a nice way to avoid ampersand HTML escape issues! One server software that generates links using semicolons is debbugs:

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Adam Goldschmidt added the comment: I haven't noticed, I'm sorry. I don't mind closing mine, just thought it could be a nice first contribution. Our PRs are different though - I feel like if we are to implement this, we should let the developer choose the separator and not limit to just `&`

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

gt; <https://bugs.python.org/issue42967> > _______ > ------ title: [security] urllib.parse.parse_qsl(): Web cache poisoning - `;` as a query args separator -> [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Ken Jin added the comment: Adam, I linked a PR 2 days ago here https://github.com/python/cpython/pull/24271 , it has the test suite passing and the appropriate changes to cgi.py. Would you like to review it? Or since you submitted a PR, would you prefer I close mine instead? --

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Change by Adam Goldschmidt : -- pull_requests: +23120 pull_request: https://github.com/python/cpython/pull/24297 ___ Python tracker ___

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Change by Senthil Kumaran : -- nosy: +orsenthil ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Ken Jin added the comment: FWIW, a surprising amount of things rely on treating ';' as a valid separator in the standard test suite. >From just a cursory look: test_cgi test_urlparse A change in the public API of urlparse will also require a change in cgi.py's FieldStorage,

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Change by Ken Jin : -- keywords: +patch nosy: +kj nosy_count: 4.0 -> 5.0 pull_requests: +23094 stage: -> patch review pull_request: https://github.com/python/cpython/pull/24271 ___ Python tracker

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

STINNER Victor added the comment: > Python implementation obeys contemporary standards The contemporary standard is HTML5 and HTML5 asks to only split at "&", no? -- ___ Python tracker

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Serhiy Storchaka added the comment: It looks to me, that this is an issue of proxies, not Python. Python implementation obeys contemporary standards, and they are not formally cancelled yet. If we add an option in parse_qsl() or change its default behavior, it should be considered as a new

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

STINNER Victor added the comment: > Sorry for the title mess: It seems that when replying to a ticket, RoundUp > uses the subject line as the new header regardless of what it was set to > before. Yeah, it's annoying :-( I like to put a module name in the issue title, to help bug triage.

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Marc-Andre Lemburg added the comment: Sorry for the title mess: It seems that when replying to a ticket, RoundUp uses the subject line as the new header regardless of what it was set to before. -- ___ Python tracker

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Change by STINNER Victor : -- title: [security] Web cache poisoning - `;` as a query args separator -> [security] urllib.parse.parse_qsl(): Web cache poisoning - `;` as a query args separator ___ Python tracker

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Change by STINNER Victor : -- title: urllib.parse.parse_qsl(): Web cache poisoning - `;` as a query args separator -> [security] urllib.parse.parse_qsl(): Web cache poisoning - `;` as a query args separator ___ Python tracker