This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author rschiron
Recipients AdamGold, eric.araujo, gregory.p.smith, kj, lemburg, lukasz.langa, mcepl, ned.deily, orsenthil, rschiron, serhiy.storchaka, vstinner
Date 2021-03-09.16:04:49
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
This CVE was reported against Python, however it does not seem to be Python's fault for supporting the `;` separator, which was a valid separator for older standards.

@AdamGold for this issue to become a real security problem, it seems that the proxy has to be configured to ignore certain parameters in the query. For NGINX and Varnish proxies mentioned in the article it seems that by default they use the entire request path, host included, and other things as cache key. For NGINX in particular I could find some snippets online to manipulate the query arguments and split them in arguments, so to remove the "utm_*" arguments, however this does not seem a standard(or at least default) behaviour, nor something easily supported.

I think that if that is the case and a user has to go out of his way to configure the (wrong) splitting of arguments in the proxy, it is not fair to blame python for accepting `;` as separator and assigning a CVE against it may cause confusion.

For distributions this is problematic as they have 2 choices:
1) "fix" python but with the risk of breaking user's programs/scripts relying on the previous API
2) keep older version/unpatched python so that user's programs still work, but with a python version "vulnerable" to this CVE.

None of these options is really ideal, especially if the problem is somewhere else.

@AdamGold Could you elaborate a bit more on how common it is and how much configuration is required for proxies to make `;` a problem in python?
Date User Action Args
2021-03-09 16:04:50rschironsetrecipients: + rschiron, lemburg, gregory.p.smith, orsenthil, vstinner, ned.deily, mcepl, eric.araujo, lukasz.langa, serhiy.storchaka, kj, AdamGold
2021-03-09 16:04:50rschironsetmessageid: <>
2021-03-09 16:04:50rschironlinkissue42967 messages
2021-03-09 16:04:49rschironcreate