This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author orsenthil
Recipients AdamGold, eric.araujo, kj, lemburg, lukasz.langa, ned.deily, orsenthil, serhiy.storchaka, vstinner
Date 2021-02-14.15:27:07
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1613316428.45.0.27612415676.issue42967@roundup.psfhosted.org>
In-reply-to
Content 
I finished reviewing this PR https://github.com/python/cpython/pull/24297

With the contexts given in W3C recommendation, Synk.io Security Report and pattern of usage in libraries like werkzeug and bottle, instead of ignoring this and letting this behavior be handled at proxy software level, addressing this in stdlib as safe-guard seems like a much better choice to me.

The change and the approach taken by Adam's patch looks good to me. I have requested for documentation updates and news entry and it will be merged for Python 3.10 and ported to earlier versions.

- Fixing this in 3.10 is going to break behavior of software which relied on both "&" and ";" as query parameter separator.  Only a single separator will be allowed, and it will default to &. This will be mentioned in documentation.

- As we back-port this to security releases of python, a rationale can be added on this change. The documentation or news entry could help developers with their plans to upgrade.
History
Date User Action Args
2021-02-14 15:27:08orsenthilsetrecipients: + orsenthil, lemburg, vstinner, ned.deily, eric.araujo, lukasz.langa, serhiy.storchaka, kj, AdamGold
2021-02-14 15:27:08orsenthilsetmessageid: <1613316428.45.0.27612415676.issue42967@roundup.psfhosted.org>
2021-02-14 15:27:08orsenthillinkissue42967 messages
2021-02-14 15:27:07orsenthilcreate