Gregory P. Smith <g...@krypto.org> added the comment:
Riccardo - FWIW I agree, the wrong part of the stack was blamed and a CVE was wrongly sought for against CPython on this one. It's sewage under the bridge at this point. The API change has shipped in several different stable releases and thus is something virtually Python all code must now deal with. Why was this a bad change to make? Python's parse_qsl obeyed the prevailing HTML 4 standard at the time it was written: https://www.w3.org/TR/html401/appendix/notes.html#ampersands-in-uris ''' We recommend that HTTP server implementors, and in particular, CGI implementors support the use of ";" in place of "&" ''' That turns out to have been bad advice in the standard. 15 years later the html5 standard quoted in Adam's snyk blog post links to its text on this which leaves no room for that interpretation. In that light, the correct thing to do for this issue would be to: * Make the default behavior change in 3.10 match the html5 standard [done]. * Document that it matches the html4 standard in 3.9 and earlier without changing their default behavior [oops, too late, not done]. * While adding the ability to allow applications to select the stricter behavior on those older versions. [only sort of done, and somewhat too late now that the strict version has already shipped as stable] Afterall, the existence of html5 didn't magically fix all of the html and web applications written in the two decades of web that came before it. Ask any browser author... ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue42967> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
