Riccardo Schirone <rschi...@redhat.com> added the comment:
> So far, we at openSUSE had to package at least SQLAlchemy, Twisted, yarl and > furl. The author of the first one acknowledged use of semicolon as a bug. I > don't think it was so bad. Did you upstream fixes for those packages? Asking because if this is considered a vulnerability in Python, it should be considered a vulnerability for every other tool/library that accept `;` as separator. For example, Twisted seems to have a parse_qs method in web/http.py file that splits by both `;` and `&`. Again, I feel like we are blaming the wrong piece of the stack, unless proxies are usually ignoring some arguments (e.g. utm_*) as part of the cache key, by default or in a very easy way. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue42967> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
