This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author rschiron
Recipients AdamGold, eric.araujo, gregory.p.smith, kj, lemburg, lukasz.langa, mcepl, ned.deily, orsenthil, petr.viktorin, rschiron, serhiy.storchaka, vstinner
Date 2021-03-10.15:57:50
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1615391870.5.0.927078641333.issue42967@roundup.psfhosted.org>
In-reply-to
Content 
> So far, we at openSUSE had to package at least SQLAlchemy, Twisted, yarl and furl. The author of the first one acknowledged use of semicolon as a bug. I don't think it was so bad.

Did you upstream fixes for those packages?

Asking because if this is considered a vulnerability in Python, it should be considered a vulnerability for every other tool/library that accept `;` as separator. For example, Twisted seems to have a parse_qs method in web/http.py file that splits by both `;` and `&`.

Again, I feel like we are blaming the wrong piece of the stack, unless proxies are usually ignoring some arguments (e.g. utm_*) as part of the cache key, by default or in a very easy way.
History
Date User Action Args
2021-03-10 15:57:50rschironsetrecipients: + rschiron, lemburg, gregory.p.smith, orsenthil, vstinner, ned.deily, mcepl, eric.araujo, petr.viktorin, lukasz.langa, serhiy.storchaka, kj, AdamGold
2021-03-10 15:57:50rschironsetmessageid: <1615391870.5.0.927078641333.issue42967@roundup.psfhosted.org>
2021-03-10 15:57:50rschironlinkissue42967 messages
2021-03-10 15:57:50rschironcreate