Message 388447 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	gregory.p.smith
Recipients	AdamGold, eric.araujo, gregory.p.smith, kj, lemburg, lukasz.langa, mcepl, ned.deily, orsenthil, petr.viktorin, rschiron, serhiy.storchaka, vstinner
Date	2021-03-10.17:40:29
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1615398030.4.0.938541500765.issue42967@roundup.psfhosted.org>
In-reply-to

Content
Riccardo - FWIW I agree, the wrong part of the stack was blamed and a CVE was wrongly sought for against CPython on this one. It's sewage under the bridge at this point. The API change has shipped in several different stable releases and thus is something virtually Python all code must now deal with. Why was this a bad change to make? Python's parse_qsl obeyed the prevailing HTML 4 standard at the time it was written: https://www.w3.org/TR/html401/appendix/notes.html#ampersands-in-uris ''' We recommend that HTTP server implementors, and in particular, CGI implementors support the use of ";" in place of "&" ''' That turns out to have been bad advice in the standard. 15 years later the html5 standard quoted in Adam's snyk blog post links to its text on this which leaves no room for that interpretation. In that light, the correct thing to do for this issue would be to: * Make the default behavior change in 3.10 match the html5 standard [done]. * Document that it matches the html4 standard in 3.9 and earlier without changing their default behavior [oops, too late, not done]. * While adding the ability to allow applications to select the stricter behavior on those older versions. [only sort of done, and somewhat too late now that the strict version has already shipped as stable] Afterall, the existence of html5 didn't magically fix all of the html and web applications written in the two decades of web that came before it. Ask any browser author...

Riccardo - FWIW I agree, the wrong part of the stack was blamed and a CVE was wrongly sought for against CPython on this one.

It's sewage under the bridge at this point. The API change has shipped in several different stable releases and thus is something virtually Python all code must now deal with.

Why was this a bad change to make?  Python's parse_qsl obeyed the prevailing HTML 4 standard at the time it was written:

https://www.w3.org/TR/html401/appendix/notes.html#ampersands-in-uris

'''
We recommend that HTTP server implementors, and in particular, CGI implementors support the use of ";" in place of "&"
'''

That turns out to have been bad advice in the standard. 15 years later the html5 standard quoted in Adam's snyk blog post links to its text on this which leaves no room for that interpretation.

In that light, the correct thing to do for this issue would be to:

* Make the default behavior change in 3.10 match the html5 standard [done].
* Document that it matches the html4 standard in 3.9 and earlier without changing their default behavior [oops, too late, not done].
* While adding the ability to allow applications to select the stricter behavior on those older versions.  [only sort of done, and somewhat too late now that the strict version has already shipped as stable]

Afterall, the existence of html5 didn't magically fix all of the html and web applications written in the two decades of web that came before it.  Ask any browser author...

History
Date	User	Action	Args
2021-03-10 17:40:30	gregory.p.smith	set	recipients: + gregory.p.smith, lemburg, orsenthil, vstinner, ned.deily, mcepl, eric.araujo, petr.viktorin, lukasz.langa, serhiy.storchaka, rschiron, kj, AdamGold
2021-03-10 17:40:30	gregory.p.smith	set	messageid: <1615398030.4.0.938541500765.issue42967@roundup.psfhosted.org>
2021-03-10 17:40:30	gregory.p.smith	link	issue42967 messages
2021-03-10 17:40:29	gregory.p.smith	create