Message388440
| Author | rschiron |
|---|---|
| Recipients | AdamGold, eric.araujo, gregory.p.smith, kj, lemburg, lukasz.langa, mcepl, ned.deily, orsenthil, petr.viktorin, rschiron, serhiy.storchaka, vstinner |
| Date | 2021-03-10.15:57:50 |
| SpamBayes Score | -1.0 |
| Marked as misclassified | Yes |
| Message-id | <1615391870.5.0.927078641333.issue42967@roundup.psfhosted.org> |
| In-reply-to |
| Content | |
|---|---|
> So far, we at openSUSE had to package at least SQLAlchemy, Twisted, yarl and furl. The author of the first one acknowledged use of semicolon as a bug. I don't think it was so bad. Did you upstream fixes for those packages? Asking because if this is considered a vulnerability in Python, it should be considered a vulnerability for every other tool/library that accept `;` as separator. For example, Twisted seems to have a parse_qs method in web/http.py file that splits by both `;` and `&`. Again, I feel like we are blaming the wrong piece of the stack, unless proxies are usually ignoring some arguments (e.g. utm_*) as part of the cache key, by default or in a very easy way. |
|
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2021-03-10 15:57:50 | rschiron | set | recipients: + rschiron, lemburg, gregory.p.smith, orsenthil, vstinner, ned.deily, mcepl, eric.araujo, petr.viktorin, lukasz.langa, serhiy.storchaka, kj, AdamGold |
| 2021-03-10 15:57:50 | rschiron | set | messageid: <1615391870.5.0.927078641333.issue42967@roundup.psfhosted.org> |
| 2021-03-10 15:57:50 | rschiron | link | issue42967 messages |
| 2021-03-10 15:57:50 | rschiron | create | |