Message 385352 - Python tracker

Message385352

Author	kj
Recipients	AdamGold, kj, lemburg, serhiy.storchaka, vstinner
Date	2021-01-20.16:06:29
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1611158790.09.0.212553831731.issue42967@roundup.psfhosted.org>
In-reply-to

Content
FWIW, a surprising amount of things rely on treating ';' as a valid separator in the standard test suite. From just a cursory look: test_cgi test_urlparse A change in the public API of urlparse will also require a change in cgi.py's FieldStorage, FieldStorage.read_multi, parse and parse_multipart to expose that parameter since those functions forward arguments directly to urllib.parse.parse_qs internally. If we backport this, it seems that we will also need to backport all those changes to cgi's public API. Otherwise, just backporting the security fix part without allowing the user to switch would break existing code. Just my 2 cents on the issue. I'm not too familiar with security fixes in cpython anyways ;).

Content

FWIW, a surprising amount of things rely on treating ';' as a valid separator in the standard test suite.

From just a cursory look:

test_cgi
test_urlparse

A change in the public API of urlparse will also require a change in cgi.py's FieldStorage, FieldStorage.read_multi, parse and parse_multipart to expose that parameter since those functions forward arguments directly to urllib.parse.parse_qs internally.

If we backport this, it seems that we will *also* need to backport all those changes to cgi's public API. Otherwise, just backporting the security fix part without allowing the user to switch would break existing code.

Just my 2 cents on the issue. I'm not too familiar with security fixes in cpython anyways ;).

History
Date	User	Action	Args
2021-01-20 16:06:30	kj	set	recipients: + kj, lemburg, vstinner, serhiy.storchaka, AdamGold
2021-01-20 16:06:30	kj	set	messageid: <1611158790.09.0.212553831731.issue42967@roundup.psfhosted.org>
2021-01-20 16:06:30	kj	link	issue42967 messages
2021-01-20 16:06:29	kj	create