I believe that in this particular case, the bug was fixed (by tightening the requirements for headers) because the bug can lead to security vulnerabilities. I think you can find more by Googling for keywords like "http header injection". The more recent Python 2.7 bugfix releases have specific exemptions from the backwards compatibility requirements for security fixes -- because their lifespan will still be many years (EOL of 2.7 is summer 2020).

On Wed, Jul 29, 2015 at 6:06 PM, Jesus Cea <jcea@jcea.es> wrote:
Yesterday I upgraded one of my computer to 2.7.10 and a program working
for years failed.

The problem is this:

"""
http=httplib.HTTPConnection("127.0.0.1",8081)
http.request("GET","/XXXXX/%f" %last_t, "", \
  {"Authorization":"Basic %s" %base64.encodestring("%s:%s" %(a,b))})
"""

base64.encodestring() creates base64 encoding with a final '\n'. This
used to work until 2.7.9 but 2.7.10 if failing now with an exception
about an "illegal character" in a header.

I know that that code is faulty and I should drop the final '\n' or just
use "base64.b64encode()" (my current fix). The point, thought, it that
this code used to work in previous 2.7 releases but it is failing under
2.7.10.

This incompatible change will be released in 3.4.4 too.

I agree that new code is better, no argument here. My program was
incorrect, sure. But I was under the impression that backwards
incompatible code was forbidden in minor releases, except for very
critical reasons (like the HTTPS security default backported to 2.7). I
think that breaking working code during minor updates is risky and
breaks user/programmer expectations.

The change was done in <https://bugs.python.org/issue22928>.

I think the change is the way to go, I don't ask for a revert (since
2.7.10 is already in the wild I want to keep it too in future 3.4.4) but
I am interested in knowing the official statement of committers about
backwards incompatible changes in minor releases for my own future
reference.

Sorry if this email seems confrontational. Not my intention, but my
English is getting worse by the day :-). This is an inquiry about
policy, not an attack.

Thanks!

--
Jesús Cea Avión                         _/_/      _/_/_/        _/_/_/
jcea@jcea.es - http://www.jcea.es/     _/_/    _/_/  _/_/    _/_/  _/_/
Twitter: @jcea                        _/_/    _/_/          _/_/_/_/_/
jabber / xmpp:jcea@jabber.org  _/_/  _/_/    _/_/          _/_/  _/_/
"Things are not so easy"      _/_/  _/_/    _/_/  _/_/    _/_/  _/_/
"My name is Dump, Core Dump"   _/_/_/        _/_/_/      _/_/  _/_/
"El amor es poner tu felicidad en la felicidad de otro" - Leibniz


_______________________________________________
python-committers mailing list
python-committers@python.org
https://mail.python.org/mailman/listinfo/python-committers




--
--Guido van Rossum (python.org/~guido)