[issue42967] [CVE-2021-23336] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Change by STINNER Victor : -- nosy: -vstinner ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue42967] [CVE-2021-23336] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Éric Araujo added the comment: See the changelog entry for 2021-11-04 10:31:24 (and the other ticket where Guido just commented) (and thanks for cleaning spam!) -- ___ Python tracker

[issue42967] [CVE-2021-23336] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Erlend E. Aasland added the comment: See bpo-12168 for a similar cleanup by Eryk Sun. There was approx. 20 spammed issues. Eryk fixed most of them; I did a couple. -- ___ Python tracker

[issue42967] [CVE-2021-23336] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Erlend E. Aasland added the comment: Yes, cleaning up ahmedsayeed1982 spam. I did my best to revert the nosy list, component, versions, and assigned to changes. What did I mess up? -- ___ Python tracker

[issue42967] [CVE-2021-23336] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Éric Araujo added the comment: erlandaasland you’ve been editing closed issues today (got messages from at least 2). maybe submitting old browser tabs with obsolete form data? -- nosy: +erlendaasland ___ Python tracker

[issue42967] [CVE-2021-23336] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Change by Erlend E. Aasland : -- nosy: +AdamGold, eric.araujo, gregory.p.smith, kj, lemburg, mcepl, miss-islington, ned.deily, orsenthil, pablogsal, petr.viktorin, rschiron, serhiy.storchaka, vstinner -ahmedsayeed1982 versions: +Python 3.10, Python 3.6, Python 3.7, Python 3.9

[issue42967] [CVE-2021-23336] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Change by Erlend E. Aasland : -- Removed message: https://bugs.python.org/msg405709 ___ Python tracker ___ ___ Python-bugs-list

[issue42967] [CVE-2021-23336] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Ahmed Sayeed added the comment: [gdb/symtab] Handle DW_TAG_type_unit in process_psymtab_comp_unit When running test-case gdb.cp/cpexprs-debug-types.exp with target board unix/gdb:debug_flags=-gdwarf-5, I run into: ... (gdb) file cpexprs-debug-types^M Reading symbols

[issue42967] [CVE-2021-23336] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Senthil Kumaran added the comment: New changeset d5b80eb11b4812b4a579ce129ba4a10c5f5d27f6 by Miss Islington (bot) in branch '3.8': bpo-42967: coerce bytes separator to string in urllib.parse_qs(l) (GH-24818) (#25345)

[issue42967] [CVE-2021-23336] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Matej Cepl added the comment: > Did you upstream fixes for those packages? Of course we did. Upstream first! -- ___ Python tracker ___

[issue42967] [CVE-2021-23336] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

miss-islington added the comment: New changeset 6ec2fb42f93660810952388e5c4018c197c17c8c by Miss Islington (bot) in branch '3.9': bpo-42967: coerce bytes separator to string in urllib.parse_qs(l) (GH-24818) https://github.com/python/cpython/commit/6ec2fb42f93660810952388e5c4018c197c17c8c

[issue42967] [CVE-2021-23336] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Change by miss-islington : -- pull_requests: +24079 pull_request: https://github.com/python/cpython/pull/25345 ___ Python tracker ___

[issue42967] [CVE-2021-23336] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Change by miss-islington : -- nosy: +miss-islington nosy_count: 13.0 -> 14.0 pull_requests: +24078 pull_request: https://github.com/python/cpython/pull/25344 ___ Python tracker

[issue42967] [CVE-2021-23336] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Senthil Kumaran added the comment: New changeset b38601d49675d90e1ee6faa47f7adaeca992d02d by Ken Jin in branch 'master': bpo-42967: coerce bytes separator to string in urllib.parse_qs(l) (#24818) https://github.com/python/cpython/commit/b38601d49675d90e1ee6faa47f7adaeca992d02d --

[issue42967] [CVE-2021-23336] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Senthil Kumaran added the comment: Petr, On > the `separator` argument now allows multi-character strings, so you can parse > 'a=1b=2' with separator=''. Was this intentional? No, this was not intentional. The separator arg was just coice, for compatibility, if some wanted to use `;`

[issue42967] [CVE-2021-23336] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Petr Viktorin added the comment: There's another part of the new implementation that looks a bit fishy: the `separator` argument now allows multi-character strings, so you can parse 'a=1b=2' with separator=''. Was this intentional? -- ___ Python

[issue42967] [CVE-2021-23336] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Gregory P. Smith added the comment: Riccardo - FWIW I agree, the wrong part of the stack was blamed and a CVE was wrongly sought for against CPython on this one. It's sewage under the bridge at this point. The API change has shipped in several different stable releases and thus is something

[issue42967] [CVE-2021-23336] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Riccardo Schirone added the comment: > So far, we at openSUSE had to package at least SQLAlchemy, Twisted, yarl and > furl. The author of the first one acknowledged use of semicolon as a bug. I > don't think it was so bad. Did you upstream fixes for those packages? Asking because if this

[issue42967] [CVE-2021-23336] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Change by Ken Jin : -- pull_requests: +23584 pull_request: https://github.com/python/cpython/pull/24818 ___ Python tracker ___ ___

[issue42967] [CVE-2021-23336] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Senthil Kumaran added the comment: Petr, thank you. Let's treat it as a new issue linked to this. -- ___ Python tracker ___ ___

[issue42967] [CVE-2021-23336] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Petr Viktorin added the comment: With the fix, parse_qs[l] doesn't handle bytes separators correctly. There is an explicit type check for str/bytes: if not separator or (not isinstance(separator, (str, bytes))): raise ValueError("Separator must be of type string or bytes.") but a

[issue42967] [CVE-2021-23336] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Riccardo Schirone added the comment: This CVE was reported against Python, however it does not seem to be Python's fault for supporting the `;` separator, which was a valid separator for older standards. @AdamGold for this issue to become a real security problem, it seems that the proxy

[issue42967] [CVE-2021-23336] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Gregory P. Smith added the comment: An example code snippet to detect if the API supports the new parameter at runtime for code that wants to use to use something other than the default '&'. ``` if 'separator' in inspect.signature(urllib.parse.parse_qs).parameters: ... parse_qs(...,

[issue42967] [CVE-2021-23336] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Matej Cepl added the comment: Port of the patch to 2.7.18. -- Added file: https://bugs.python.org/file49839/CVE-2021-23336-only-amp-as-query-sep.patch ___ Python tracker ___

[issue42967] [CVE-2021-23336] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Matej Cepl added the comment: > FYI - This was somewhat of an unfortuate API change. I'm coming across code > that relies on ; also being treated as a separator by parse_qs(). That code > is now broken with no easy way around it. So far, we at openSUSE had to package at least SQLAlchemy,

[issue42967] [CVE-2021-23336] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Gregory P. Smith added the comment: FYI - This was somewhat of an unfortuate API change. I'm coming across code that relies on ; also being treated as a separator by parse_qs(). That code is now broken with no easy way around it. And I'm only seeing things lucky enough to have an explicit

[issue42967] [CVE-2021-23336] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

STINNER Victor added the comment: I created https://python-security.readthedocs.io/vuln/urllib-query-string-semicolon-separator.html to track fixes of this vulnerability. -- ___ Python tracker

[issue42967] [CVE-2021-23336] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

Senthil Kumaran added the comment: This is resolved in all version of Python now. Thank you all for your contributions! -- resolution: -> fixed stage: patch review -> resolved status: open -> closed title: [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query