Riccardo Schirone <rschi...@redhat.com> added the comment:

This CVE was reported against Python, however it does not seem to be Python's 
fault for supporting the `;` separator, which was a valid separator for older 
standards.

@AdamGold for this issue to become a real security problem, it seems that the 
proxy has to be configured to ignore certain parameters in the query. For NGINX 
and Varnish proxies mentioned in the article it seems that by default they use 
the entire request path, host included, and other things as cache key. For 
NGINX in particular I could find some snippets online to manipulate the query 
arguments and split them in arguments, so to remove the "utm_*" arguments, 
however this does not seem a standard(or at least default) behaviour, nor 
something easily supported.

I think that if that is the case and a user has to go out of his way to 
configure the (wrong) splitting of arguments in the proxy, it is not fair to 
blame python for accepting `;` as separator and assigning a CVE against it may 
cause confusion.

For distributions this is problematic as they have 2 choices:
1) "fix" python but with the risk of breaking user's programs/scripts relying 
on the previous API
2) keep older version/unpatched python so that user's programs still work, but 
with a python version "vulnerable" to this CVE.

None of these options is really ideal, especially if the problem is somewhere 
else.

@AdamGold Could you elaborate a bit more on how common it is and how much 
configuration is required for proxies to make `;` a problem in python?

----------
nosy: +rschiron

_______________________________________
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue42967>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to