Bug#984831: bugs.debian.org: should not emit semicolon as query param separator
On Mon, 2021-03-08 at 20:42 +, Phil Morrell wrote: > As reported on #debian-til, python can no longer parse bugs.d.o URLs > correctly out of the box. The change was backported as a security > update > to 3.6+ so also affects buster. fwiw, that seems to be a non-sequitur. Yes, it's been backported upstream, but there's been no corresponding upload to buster of any Python version that incorporates the change that I can see. Regards, Adam
Bug#984831: bugs.debian.org: should not emit semicolon as query param separator
Control: retitle -1 switch from semicolon ';' to ampersand '&' for query parameter separation On Mon, 08 Mar 2021, Phil Morrell wrote: > As reported on #debian-til, python can no longer parse bugs.d.o URLs > correctly out of the box. The change was backported as a security update > to 3.6+ so also affects buster. > > https://bugs.python.org/issue42967 This looks like an issue in python's urllib. ';' are perfectly valid query parameter separators for URIs and anything consuming debbugs URIs should pass appropriate options to support them. That said, we probably should switch away from semicolons as they are no longer recommended. > From what I can tell, the search form and msg= use semicolon and I > actually can't find any with ampersand. Everything uses semicolon, but we can probably just make Debbugs::URI call query_form instead of query_param. -- Don Armstrong https://www.donarmstrong.com I would like to be the air that inhabits you for a moment only. I would like to be that unnoticed & that necessary. -- Margaret Atwood "Poetry in Motion" p140
Bug#984831: bugs.debian.org: should not emit semicolon as query param separator
Package: bugs.debian.org Severity: wishlist Hi, As reported on #debian-til, python can no longer parse bugs.d.o URLs correctly out of the box. The change was backported as a security update to 3.6+ so also affects buster. https://bugs.python.org/issue42967 > Changed in version 3.10: Added separator parameter with the default > value of &. Python versions earlier than Python 3.10 allowed using > both ; and & as query parameter separator. This has been changed to > allow only a single separator key, with & as the default separator. From what I can tell, the search form and msg= use semicolon and I actually can't find any with ampersand. I had a poke through salsa and believe this can be fixed with a `s/query_form/query_param/g`, but I don't know Perl. This feature was added in 2006 and has been completely untouched since then, so presumably it's missing upstream bugfixes. https://salsa.debian.org/debbugs-team/debbugs/-/commit/2c18114353029cfd5784df5c6def6c0b22de4ca7 -- Phil Morrell (emorrp1) -- System Information: Debian Release: 10.8 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-debug'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-14-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_CRAP, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled signature.asc Description: PGP signature