[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

[Ned Deily]

Ned Deily  added the comment:


New changeset 5c17dfc5d70ce88be99bc5769b91ce79d7a90d61 by Senthil Kumaran in 
branch '3.6':
[3.6] bpo-42967: only use '&' as a query string separator (GH-24297)  (GH-24532)
https://github.com/python/cpython/commit/5c17dfc5d70ce88be99bc5769b91ce79d7a90d61


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

[Ned Deily]

Ned Deily  added the comment:


New changeset d0d4d30882fe3ab9b1badbecf5d15d94326fd13e by Senthil Kumaran in 
branch '3.7':
[3.7] bpo-42967: only use '&' as a query string separator (GH-24297)  (GH-24531)
https://github.com/python/cpython/commit/d0d4d30882fe3ab9b1badbecf5d15d94326fd13e


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

[Łukasz Langa]

Łukasz Langa  added the comment:


New changeset e3110c3cfbb7daa690d54d0eff6c264c870a71bf by Senthil Kumaran in 
branch '3.8':
[3.8] bpo-42967: only use '&' as a query string separator (GH-24297)  (#24529)
https://github.com/python/cpython/commit/e3110c3cfbb7daa690d54d0eff6c264c870a71bf


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

[Senthil Kumaran]

Senthil Kumaran  added the comment:


New changeset c9f07813ab8e664d8c34413c4fc2d4f86c061a92 by Senthil Kumaran in 
branch '3.9':
[3.9] bpo-42967: only use '&' as a query string separator (GH-24297) (#24528)
https://github.com/python/cpython/commit/c9f07813ab8e664d8c34413c4fc2d4f86c061a92


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

[Senthil Kumaran]

Senthil Kumaran  added the comment:


New changeset a2f0654b0a5b4c4f726155620002cc1f5f2d206a by Ken Jin in branch 
'master':
bpo-42967: Fix urllib.parse docs and make logic clearer (GH-24536)
https://github.com/python/cpython/commit/a2f0654b0a5b4c4f726155620002cc1f5f2d206a


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

[Ken Jin]

Change by Ken Jin :


--
pull_requests: +23323
pull_request: https://github.com/python/cpython/pull/24536

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

[STINNER Victor]

STINNER Victor  added the comment:

I agree with changing the default in Python 3.6-3.10.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

[Senthil Kumaran]

Change by Senthil Kumaran :


--
pull_requests: +23319
pull_request: https://github.com/python/cpython/pull/24532

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

[Senthil Kumaran]

Change by Senthil Kumaran :


--
pull_requests: +23318
pull_request: https://github.com/python/cpython/pull/24531

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

[Senthil Kumaran]

Change by Senthil Kumaran :


--
pull_requests: +23316
pull_request: https://github.com/python/cpython/pull/24529

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

[Senthil Kumaran]

Change by Senthil Kumaran :


--
pull_requests: +23315
pull_request: https://github.com/python/cpython/pull/24528

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

[Senthil Kumaran]

Senthil Kumaran  added the comment:


New changeset fcbe0cb04d35189401c0c880ebfb4311e952d776 by Adam Goldschmidt in 
branch 'master':
bpo-42967: only use '&' as a query string separator (#24297)
https://github.com/python/cpython/commit/fcbe0cb04d35189401c0c880ebfb4311e952d776


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

[Senthil Kumaran]

Senthil Kumaran  added the comment:

Éric, I considered the possibility of bringing it in python-dev, but thought it 
could be decided in this ticket itself.

1. This was already brought up by multiple Release Managers in Python-dev, and 
some conversation seems to  have happened there previously, especially 
regarding backwards incompatiblity. Ofcourse, we didn't debate the 
implementation, but debating that seems to better to focused here and in OR. On 
wider group, we only to acknowledge that a backwards incompatibility is 
introduced.

2. Other interested core-devs seems to  have given shared their thoughts early 
in the bug too.

So, once I reviewed these, I thought, it seems to okay for us to make a 
decision here.  If there is anything particular you wanted to bring, we could.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

[Éric Araujo]

Éric Araujo  added the comment:

I also have concerns about specifics of the implementation (see PR) and in 
general the behaviour change in point releases.  Maybe have a thread on 
python-dev?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

[Senthil Kumaran]

Senthil Kumaran  added the comment:

I finished reviewing this PR https://github.com/python/cpython/pull/24297

With the contexts given in W3C recommendation, Synk.io Security Report and 
pattern of usage in libraries like werkzeug and bottle, instead of ignoring 
this and letting this behavior be handled at proxy software level, addressing 
this in stdlib as safe-guard seems like a much better choice to me.

The change and the approach taken by Adam's patch looks good to me. I have 
requested for documentation updates and news entry and it will be merged for 
Python 3.10 and ported to earlier versions.

- Fixing this in 3.10 is going to break behavior of software which relied on 
both "&" and ";" as query parameter separator.  Only a single separator will be 
allowed, and it will default to &. This will be mentioned in documentation.

- As we back-port this to security releases of python, a rationale can be added 
on this change. The documentation or news entry could help developers with 
their plans to upgrade.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

[Senthil Kumaran]

Senthil Kumaran  added the comment:

I meant, "I did some research, but couldn't come away conclusively".

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

[Senthil Kumaran]

Senthil Kumaran  added the comment:

Sorry for that, Ned. I will take a decision on this by Saturday (13-Feb).

I did some research, but could come way conclusively. I have not heard any 
opinions (+ves or -ves) on this.  This will be a breaking change, so necessary 
to support it with documentation, alerts etc.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

[Ned Deily]

Ned Deily  added the comment:

Ping. This issue has been delaying 3.7.x and 3.6.x security releases. I would 
prefer to have it resolved before releasing.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

[Senthil Kumaran]

Senthil Kumaran  added the comment:

Ned, and others watching.

In future versions of Python, we can use only "&" based separator. But I am not 
certain what should be proposed for the older releases of Python.   

Adam's Patch is a good one to specify explicitly specify the separator, but it 
changes the expectations in our test cases and is not backwards compatible. 

Victor / Marc-Andre: Need your recommendation here.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

[Senthil Kumaran]

Change by Senthil Kumaran :


--
assignee:  -> orsenthil

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

[Ned Deily]

Ned Deily  added the comment:

Resolution of this issue is blocking 3.7.x and 3.6.x security releases and 
threatens to block upcoming maintenance releases.

--
nosy: +lukasz.langa, ned.deily
priority: normal -> release blocker

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

[Éric Araujo]

Éric Araujo  added the comment:

Senthil, what is your opinion here?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

[Adam Goldschmidt]

Adam Goldschmidt  added the comment:

> The difference is that semicolon is defined in a previous specification.

I understand, but this will limit us in the future if the spec changes - though 
I don't have strong feelings regarding this one.

> Dear all, now that Adam has signed the CLA, I have closed my PR in favor of 
> Adam's because I think 2 open PRs might split everyone's attention. Instead, 
> I'll focus on reviewing Adam's PR. Sorry for any inconvenience caused.

❤

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

[Ken Jin]

Ken Jin  added the comment:

Dear all, now that Adam has signed the CLA, I have closed my PR in favor of 
Adam's because I think 2 open PRs might split everyone's attention. Instead, 
I'll focus on reviewing Adam's PR. Sorry for any inconvenience caused.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

[Éric Araujo]

Éric Araujo  added the comment:

The difference is that semicolon is defined in a previous specification.

I don’t see this change as providing support for custom delimiters in URL 
parsing, but offering an option to pick between two specifications.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

[Adam Goldschmidt]

Adam Goldschmidt  added the comment:

> That doesn’t feel necessary to me.   I suspect most links use &, some use ;, 
> nothing else is valid at the moment and I don’t expect a new separator to 
> suddenly appear.  IMO the boolean parameter to also recognize ; was better.

That's reasonable. However, I think that we are making this change in order to 
treat the semicolon as a "custom" separator. In that case, why not let the 
developer decide on a different custom separator for their own use cases? 
What's the difference between a semicolon and something else?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

[Adam Goldschmidt]

Adam Goldschmidt  added the comment:

> I _didn't_ change the default - it will allow both '&' and ';' still. Eric 
> showed a link above that still uses semicolon. So I feel that it's strange to 
> break backwards compatibility in a patch update. Maybe we can make just '&' 
> the default in Python 3.10, while backporting the ability to specify 
> separators to older versions so it's up to users?

I like this implementation. I definitely think we should not break backwards 
compatibility and only change the default in Python 3.10.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

[Éric Araujo]

Éric Araujo  added the comment:

> I feel like if we are to implement this, we should let the developer choose 
> the separator and not limit to just `&` and `;`

That doesn’t feel necessary to me.   I suspect most links use &, some use ;, 
nothing else is valid at the moment and I don’t expect a new separator to 
suddenly appear.  IMO the boolean parameter to also recognize ; was better.

> but that discussion probably belongs in the PR.

PR discussions are generally about how to achieve the goal (fix or new feature) 
and quality of implementation, but tickets is where we agree on what the goal 
is and how to fix it (big picture).

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

[Ken Jin]

Ken Jin  added the comment:

I updated the PR to take in a sequence of separators from the user - eg:

>>> urllib.parse.parse_qsl('a=1&b=2;c=3', separators=('&', ';'))
[('a', '1'), ('b', '2'), ('c', '3')]
>>> urllib.parse.parse_qsl('a=1&b=2;c=3', separators=('&',))
[('a', '1'), ('b', '2;c=3')]

I _didn't_ change the default - it will allow both '&' and ';' still. Eric 
showed a link above that still uses semicolon. So I feel that it's strange to 
break backwards compatibility in a patch update. Maybe we can make just '&' the 
default in Python 3.10, while backporting the ability to specify separators to 
older versions so it's up to users?

I'm not sure, any thoughts on this? Opinions would be greatly appreciated.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

[Ken Jin]

Ken Jin  added the comment:

@Adam:

>I haven't noticed, I'm sorry. I don't mind closing mine, just thought it could 
>be a nice first contribution. 

No worries :), please don't close yours.

> Our PRs are different though - I feel like if we are to implement this, we 
> should let the developer choose the separator and not limit to just `&` and 
> `;` - but that discussion probably belongs in the PR.

You're right, I think that's an elegant solution. In the unlikely event web 
standards change again in another 5 years, the user can change the arguments 
themselves and cpython won't have to change. And like Eric pointed out, some 
people do need ';'.

@senthil
I might make some changes soon, so it may not be ready for review yet. If I go 
ahead with the separator idea, I'll credit Adam as a co-author in the PR, which 
will require them to sign the CLA too.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

[Éric Araujo]

Éric Araujo  added the comment:

Too bad that semicolon is not recommended nowadays, it was a nice way to avoid 
ampersand HTML escape issues!

One server software that generates links using semicolons is debbugs: 
https://bugs.debian.org/cgi-bin/pkgreport.cgi?archive=both;package=gtk3-engines-xfce;package=gtk2-engines-xfce

--
components: +Library (Lib) -C API
nosy: +eric.araujo

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

[Adam Goldschmidt]

Adam Goldschmidt  added the comment:

I haven't noticed, I'm sorry. I don't mind closing mine, just thought it could 
be a nice first contribution. Our PRs are different though - I feel like if we 
are to implement this, we should let the developer choose the separator and not 
limit to just `&` and `;` - but that discussion probably belongs in the PR.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

[Senthil Kumaran]

Senthil Kumaran  added the comment:

Ken, Please don't close your PR. I will review it. It has a CLA signed
which is helpful.

On Fri, Jan 22, 2021 at 4:53 AM Ken Jin  wrote:

>
> Ken Jin  added the comment:
>
> Adam, I linked a PR 2 days ago here
> https://github.com/python/cpython/pull/24271 , it has the test suite
> passing and the appropriate changes to cgi.py. Would you like to review it?
> Or since you submitted a PR, would you prefer I close mine instead?
>
> --
>
> ___
> Python tracker 
> 
> ___
>

--
title: [security] urllib.parse.parse_qsl(): Web cache poisoning - `;` as a 
query args separator -> [security] urllib.parse.parse_qsl(): Web cache 
poisoning - `; ` as a query args separator

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

[Ken Jin]

Ken Jin  added the comment:

Adam, I linked a PR 2 days ago here 
https://github.com/python/cpython/pull/24271 , it has the test suite passing 
and the appropriate changes to cgi.py. Would you like to review it? Or since 
you submitted a PR, would you prefer I close mine instead?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

[Adam Goldschmidt]

Change by Adam Goldschmidt :


--
pull_requests: +23120
pull_request: https://github.com/python/cpython/pull/24297

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

[Senthil Kumaran]

Change by Senthil Kumaran :


--
nosy: +orsenthil

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

[Ken Jin]

Ken Jin  added the comment:

FWIW, a surprising amount of things rely on treating ';' as a valid separator 
in the standard test suite.

>From just a cursory look:

test_cgi
test_urlparse

A change in the public API of urlparse will also require a change in cgi.py's 
FieldStorage, FieldStorage.read_multi, parse and parse_multipart to expose that 
parameter since those functions forward arguments directly to 
urllib.parse.parse_qs internally.

If we backport this, it seems that we will *also* need to backport all those 
changes to cgi's public API. Otherwise, just backporting the security fix part 
without allowing the user to switch would break existing code.

Just my 2 cents on the issue. I'm not too familiar with security fixes in 
cpython anyways ;).

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

[Ken Jin]

Change by Ken Jin :


--
keywords: +patch
nosy: +kj
nosy_count: 4.0 -> 5.0
pull_requests: +23094
stage:  -> patch review
pull_request: https://github.com/python/cpython/pull/24271

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

[STINNER Victor]

STINNER Victor  added the comment:

> Python implementation obeys contemporary standards

The contemporary standard is HTML5 and HTML5 asks to only split at "&", no?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

[Serhiy Storchaka]

Serhiy Storchaka  added the comment:

It looks to me, that this is an issue of proxies, not Python. Python 
implementation obeys contemporary standards, and they are not formally 
cancelled yet. If we add an option in parse_qsl() or change its default 
behavior, it should be considered as a new feature which helps to mitigate 
proxies' issues.

--
nosy: +serhiy.storchaka

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

[STINNER Victor]

STINNER Victor  added the comment:

> Sorry for the title mess: It seems that when replying to a ticket, RoundUp 
> uses the subject line as the new header regardless of what it was set to 
> before.

Yeah, it's annoying :-( I like to put a module name in the issue title, to help 
bug triage.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

[Marc-Andre Lemburg]

Marc-Andre Lemburg  added the comment:

Sorry for the title mess: It seems that when replying to a ticket, RoundUp uses 
the subject line as the new header regardless of what it was set to before.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

[STINNER Victor]

Change by STINNER Victor :


--
title: [security] Web cache poisoning - `;` as a query args separator -> 
[security] urllib.parse.parse_qsl(): Web cache poisoning - `;` as a query args 
separator

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

[STINNER Victor]

Change by STINNER Victor :


--
title: urllib.parse.parse_qsl(): Web cache poisoning - `;` as a query args 
separator -> [security] urllib.parse.parse_qsl(): Web cache poisoning - `;` as 
a query args separator

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com