Message388440
> So far, we at openSUSE had to package at least SQLAlchemy, Twisted, yarl and furl. The author of the first one acknowledged use of semicolon as a bug. I don't think it was so bad.
Did you upstream fixes for those packages?
Asking because if this is considered a vulnerability in Python, it should be considered a vulnerability for every other tool/library that accept `;` as separator. For example, Twisted seems to have a parse_qs method in web/http.py file that splits by both `;` and `&`.
Again, I feel like we are blaming the wrong piece of the stack, unless proxies are usually ignoring some arguments (e.g. utm_*) as part of the cache key, by default or in a very easy way. |
|
Date |
User |
Action |
Args |
2021-03-10 15:57:50 | rschiron | set | recipients:
+ rschiron, lemburg, gregory.p.smith, orsenthil, vstinner, ned.deily, mcepl, eric.araujo, petr.viktorin, lukasz.langa, serhiy.storchaka, kj, AdamGold |
2021-03-10 15:57:50 | rschiron | set | messageid: <1615391870.5.0.927078641333.issue42967@roundup.psfhosted.org> |
2021-03-10 15:57:50 | rschiron | link | issue42967 messages |
2021-03-10 15:57:50 | rschiron | create | |
|