[issue38216] Fix for issue30458 prevents crafting invalid requests

2019-09-20 Thread Tim Burke
Tim Burke added the comment: > Since at least one project is known to have been impacted, it's not > unreasonable to expect that more will be. I can confirm at least one other: OpenStack Swift's stable jobs have been broken by https://github.com/python/cpython/commit/bb8071a since 11 Sep;

[issue38216] Fix for issue30458 prevents crafting invalid requests

2019-09-20 Thread Jason R. Coombs
Jason R. Coombs added the comment: Thanks for all the comments. I agree the current (secure by default) implementation is desirable. I also agree that such usage was never explicitly supported, so the "regression" here is perhaps over-stated. What I seek is to avoid the Go recommendation

[issue38216] Fix for issue30458 prevents crafting invalid requests

2019-09-20 Thread Gregory P. Smith
Gregory P. Smith added the comment: All bug fixes are behavior changes. Any broken behavior can be relied upon by someone. So far the only ones who have popped up with this change as being a problem is one project's test suite where the behavior was used by a test because it was a

[issue38216] Fix for issue30458 prevents crafting invalid requests

2019-09-20 Thread Matej Cepl
Change by Matej Cepl : -- nosy: +mcepl ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue38216] Fix for issue30458 prevents crafting invalid requests

2019-09-20 Thread Karthikeyan Singaravelan
Karthikeyan Singaravelan added the comment: For reference this is how urllib handled the same issue in their test suite : https://github.com/urllib3/urllib3/pull/1673. golang also received similar regression report as the change landed in 1.11.6 and discussion :

[issue38216] Fix for issue30458 prevents crafting invalid requests

2019-09-19 Thread Ammar Askar
Ammar Askar added the comment: > What bothers me here is that we apparently changed de facto behavior between > maintenance releases, in the middle of 3.7's lifecycle, without warning, no > doubt because we didn't realize it would break third-party packages. Arguably, I think the programs

[issue38216] Fix for issue30458 prevents crafting invalid requests

2019-09-19 Thread Ned Deily
Ned Deily added the comment: Thanks for your comments, Greg. Here's my take as release manager for 3.7 (and for 3.6). What bothers me here is that we apparently changed de facto behavior between maintenance releases, in the middle of 3.7's lifecycle, without warning, no doubt because we

[issue38216] Fix for issue30458 prevents crafting invalid requests

2019-09-19 Thread Gregory P. Smith
Gregory P. Smith added the comment: What's needed here is a Decision. (release managers and steering councils make those) IMNSHO, this regression is intentional and does not feel like a bug. The Python HTTP APIs were never designed with an explicit intent to allow violations of the

[issue38216] Fix for issue30458 prevents crafting invalid requests

2019-09-19 Thread Larry Hastings
Larry Hastings added the comment: FWIW I planned to tag and release 3.5.8 final early next week. I don't have the domain knowledge to assess the severity of this bug--much less pitch in and help fix it--so I suspect this will simply hold up 3.5.8 final. Depending on the complexity of the

[issue38216] Fix for issue30458 prevents crafting invalid requests

2019-09-18 Thread Tim Burke
Change by Tim Burke : -- nosy: +tburke ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue38216] Fix for issue30458 prevents crafting invalid requests

2019-09-18 Thread Ned Deily
Ned Deily added the comment: Thanks for identifying this issue and breaking it out into a separate bpo, Jason. If I understand correctly, the problematic fix for Issue30458 has already been released in maintenance release 3.7.4 and security release 3.6.9, is in the current security release

[issue38216] Fix for issue30458 prevents crafting invalid requests

2019-09-18 Thread Jason R. Coombs
Change by Jason R. Coombs : -- keywords: +3.6regression, 3.7regression ___ Python tracker ___ ___ Python-bugs-list mailing list

[issue38216] Fix for issue30458 prevents crafting invalid requests

2019-09-18 Thread Sviatoslav Sydorenko
Change by Sviatoslav Sydorenko : -- nosy: +webknjaz ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue38216] Fix for issue30458 prevents crafting invalid requests

2019-09-18 Thread Karthikeyan Singaravelan
Change by Karthikeyan Singaravelan : -- nosy: +xtreak ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue38216] Fix for issue30458 prevents crafting invalid requests

2019-09-18 Thread Jason R. Coombs
New submission from Jason R. Coombs : The fix for issue30458 prevents any request line from transmitting non-ascii characters. In some cases, it's useful to transmit these illegal bytes in order to simulate a maliciously-crafted request (such as to ensure a web server responds correctly to